← vuln-lab catalog

Clickjacking — sensitive one-click action

This "account settings" page ships a destructive one-click button and NO frame protection — /public/_headers deliberately omits X-Frame-Options and CSP frame-ancestors, and there is no JavaScript frame-buster. An attacker can iframe it transparently and trick a victim into clicking Delete.

(no action yet)

Trigger: <iframe src="/clickjacking/" style="opacity:.01"> positioned under a decoy button.

Detected by: browser_clickjacking_test, browser_clickjacking_poc_generate