Overview
Attacker overlays transparent iframe of target site over a decoy page. Victim clicks what they think is the decoy but actually interacts with the hidden target — changing settings, transferring funds, etc.Detection
Check Headers
Vulnerable If
- No
X-Frame-Optionsheader - No
frame-ancestorsin CSP X-Frame-Options: ALLOW-FROM(deprecated, not supported in modern browsers)
X-Frame-Options
| Value | Description |
|---|---|
DENY | Cannot be framed by anyone |
SAMEORIGIN | Only same origin can frame |
ALLOW-FROM uri | Deprecated — non-functional in modern browsers. Fails silently |
X-Frame-Options: DENY and frame-ancestors 'none' for backward compatibility.
CSP frame-ancestors (Modern)
frame-ancestors overrides X-Frame-Options when both present.
Basic PoC
Visible for Testing (opacity: 0.5)
Advanced Techniques
Drag-and-Drop Clickjacking
Trick user into dragging content from target iframe into attacker-controlled area:Multi-Step Clickjacking
Move iframe between clicks to chain multiple actions:Cursorjacking
Replace cursor with offset image — user clicks different position than expected:Common Targets
| Action | Impact |
|---|---|
| Change email/password | Account takeover |
| Enable 2FA on attacker device | Persistent access |
| Delete account | Destructive |
| Transfer funds | Financial |
| Change privacy settings | Data exposure |
| OAuth authorize | Token theft |
| Admin actions | Privilege abuse |
Additional Defenses
SameSite Cookies
SameSite=Strict or Lax session cookies are not sent in any framed (iframe) request regardless of method (GET or POST), since iframe loads are subresource requests — so they block clickjacking of authenticated actions. The real limitation: no protection when the targeted action doesn’t require the session cookie (or when tokens live in localStorage/sessionStorage).
JavaScript Frame-Busting (Unreliable)
sandbox attribute on iframe. Not a reliable defense.
Automation
Nuclei
One-Liner Check
Quick Reference
| Protection | Header |
|---|---|
| Block all framing | X-Frame-Options: DENY |
| Same origin only | X-Frame-Options: SAMEORIGIN |
| CSP (modern) | frame-ancestors 'none' or 'self' |
| PoC test | iframe with opacity: 0.0001 over decoy |