1. Web Security Academy
  2. Clickjacking
  3. Lab

Lab: Multistep clickjacking


This lab has some account functionality that is protected by a CSRF token and also has a confirmation dialog to protect against Clickjacking. To solve this lab construct an attack that fools the user into clicking the delete account button and the confirmation dialog by clicking on "Click me first" and "Click me next" decoy actions. You will need to use two elements for this lab.

You have an account on the application that you can use to help design your attack. The credentials are: carlos / montoya.


The victim will be using Chrome so test your exploit on that browser.