ProfessionalCommunity Edition

Burp Clickbandit

  • Last updated: March 1, 2024

  • Read time: 2 Minutes

Burp Clickbandit makes it quicker and easier to test for clickjacking vulnerabilities. This is when an attack overlays a frame on a decoy website to trick a user into clicking on actionable content. Clickbandit enables you to create an attack to confirm that this vulnerability can be successfully exploited. You use your browser to perform actions on a website, then Clickbandit creates an HTML file with a clickjacking overlay.

Burp Clickbandit runs in your browser using JavaScript. It works on all modern browsers except for Edge.


Exercise caution when running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can subvert the HTML output that is generated by Burp Clickbandit.

Setting up Burp Clickbandit

Follow these steps to set up a Clickbandit attack:

  1. Go to the top-level Burp menu and select Burp Clickbandit.
  2. Click Copy Clickbandit to clipboard to copy the Clickbandit script.
  3. In your browser, visit the web page that you want to test.
  4. In your browser, open the developer console. This might be called Developer tools or JavaScript console.
  5. Paste the Clickbandit script into the developer console, and press enter.

The Clickbandit banner appears at the top of the browser window.

Running an attack

To run a clickjacking attack using Burp Clickbandit:

  1. Click Start to load the website.
  2. Click around the site, mimicking the actions that a victim user might perform. This is recorded by Clickbandit.
  3. Click Finish to complete your attack.

The target page handles clicks in the normal way. To disable this, select Disable click actions.

To avoid frame busters, select Sandbox iframe. This adds the sandbox attribute to the iframe.

Reviewing an attack

Once you have completed the attack, you can review the attack UI overlaid on the original page UI. Click the buttons on the attack UI to check that the attack works.

The following commands are available:

  • Toggle transparency - Show or hide the original page UI.
  • Reset - Restore the attack
  • Save - Save the attack in an HTML file. This can be used as a real-world exploit of the clickjacking vulnerability.
  • Use the + and - buttons to zoom in and out.
  • Use your keyboard arrow keys to reposition the attack UI.

Was this article helpful?