1. Web Security Academy
  2. Clickjacking
  3. Lab

Lab: Basic clickjacking with CSRF token protection

APPRENTICE

This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will be clicking on "click" on a decoy website and the goal of the lab is to entice the user into deleting their account.

To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The account is solved when the account is deleted.

You have an account on the application that you can use to help design your attack. The credentials are: carlos / montoya.

Note

The victim will be using Chrome so test your exploit on that browser.

Try Burp Suite for Free

Find clickjacking vulnerabilities using Burp Suite

Try for free