Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Burp Suite Professional and Community editions Burp Suite Enterprise Edition
Burp Scanner Burp Collaborator
Burp Infiltrator Full Documentation Contents

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
  1. Support Center
  2. Documentation
  3. Desktop editions
  4. Tools
  5. Clickbandit

Burp Clickbandit

Burp Clickbandit is a tool for generating clickjacking attacks. When you have found a web page that may be vulnerable to clickjacking, you can use Burp Clickbandit to create an attack, and confirm that the vulnerability can be successfully exploited.

This documentation covers the following areas:

Note: Exercise caution when running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can subvert the HTML output that is generated by Burp Clickbandit.

Running Burp Clickbandit

Burp Clickbandit runs in your browser using JavaScript. It works on all modern browsers except for Microsoft IE and Edge.

To run Clickbandit, go to the Burp menu and select "Burp Clickbandit". Then use the following steps:

  1. Click the "Copy Clickbandit to clipboard" button. This will copy the Clickbandit script to your clipboard.
  2. In your browser, visit the web page that you want to test, in the usual way.
  3. In your browser, open the web developer console. This might also be called "developer tools" or "JavaScript console".
  4. Paste the Clickbandit script into the web developer console, and press enter.

The Burp Clickbandit banner will appear at the top of the browser window and the original page will be reloaded within a frame, ready for the attack to be performed.

Record mode

Burp Clickbandit first loads in record mode. Click "Start" to load the site. Perform one or more mouse clicks to record your clickjacking attack. Typically, this will involve performing the mouse clicks that the victim user needs to perform to carry out some desired action.

By default, as clicks are recorded, they are also handled in the normal way by the target page. You can use the "disable click actions" checkbox to record clicks without the target page handling them.

You can click the "Sandbox iframe" checkbox to add the sandbox attribute to the iframe. This option will allow you to avoid frame busters.

When you have finished recording, click the "Finish" button to enter review mode.

Review mode

When you have finished recording your attack, Burp Clickbandit enters review mode. This lets you review the generated attack, with the attack UI overlaid on the original page UI. You can click the buttons on the attack UI to verify that the attack works.

The following commands are available in review mode: