1. Web Security Academy
  2. Clickjacking
  3. Lab

Lab: Basic clickjacking with CSRF token protection


This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word "click" on a decoy website.

To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted.

You can log in to your own account using the following credentials: wiener:peter


The victim will be using Chrome so test your exploit on that browser.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here