clickjacking
Basic clickjacking:
Clickbandit
Although you can manually create a clickjacking proof of concept as described above, this can be fairly tedious and time-consuming in practice. When you're testing for clickjacking in the wild, we recommend using Burp's Clickbandit tool instead. This lets you use your browser to perform the desired actions on the frameable page, then creates an HTML file containing a suitable clickjacking overlay. You can use this to generate an interactive proof of concept in a matter of seconds, without having to write a single line of HTML or CSS.
Clickjacking with form data:
Frame busting bypass
<iframe id="victim_website" src="https://victim-website.com" sandbox="allow-forms"></iframe>
Both the allow-forms
and allow-scripts
values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviors while allowing functionality within the targeted site.
Last updated