1. Web Security Academy
  2. Clickjacking
  3. Lab

Lab: Multistep clickjacking

PRACTITIONER

This lab has some account functionality that is protected by a CSRF token and also has a confirmation dialog to protect against Clickjacking. To solve this lab construct an attack that fools the user into clicking the delete account button and the confirmation dialog by clicking on "Click me first" and "Click me next" decoy actions. You will need to use two elements for this lab.

You have an account on the application that you can use to help design your attack. The credentials are: carlos / montoya.

Note

The victim will be using Chrome so test your exploit on that browser.

Try Burp Suite for Free

Find clickjacking vulnerabilities using Burp Suite

Try for free