Web Security Web Security

Challenge 6: Clickjacking

Check out a free preview of the full Web Security course:
The "Challenge 6: Clickjacking" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

In this challenge, students create a landing page that can stage a clickjacking attack to trick a user.

Get Unlimited Access Now

Transcript from the "Challenge 6: Clickjacking" Lesson

[00:00:00]
>> Mike North: So what I'd like us to do is take advantage of the fact that we have a horrific issue in this app where we can populate form field by queryParams. This is not something you should see in online banking software, but this is nice for when your support team needs to lead you to a particular page.

[00:00:17] And they can pre-populate some stuff for you, or maybe we call this like, a template. It's a template form, you can bookmark this, and it will have everything filled out for you. If you use your imagination, this is not so ridiculous. However, it does put us in a position where we can create an iFrame that is one click away from a funds transfer.

[00:00:36] So what you're gonna do is create an iFrame in a new jsbin and see if you can get the CSS that applies to this iFrame just right, so that it's right over a button on a landing page you create. And so you can trick the user into clicking on that thing, maybe clicking on that thing multiple times, who knows?

[00:00:55] And essentially they'll end up interacting with an app that they are authenticated to use as a legitimate user, but they're just basically being tricked, right? You're compromising the user, not the system here.