Clickhacking demo

CSP is active on victim's page

The victim page uses the following CSP:

Content-Security-Policy: frame-ancestors 'none'

So the browser will refuse to display the victim page in the attacker's iframes (showing a message in the console), and so, clickjacking won't work

Payload

Evil page (this one) loads the victim page (target) in an iframe, and overlays it over a harmless looking thing of attacker.com.
Then, when user thinks they interact with the harmless evil page element, they actually interact with the targeted victim page, allowing attackers to have victims do unwilled actions on victim website.
In the sample below, harmless looking link is overlayed with harmful action button from targeted website. Obviously, real attacks would have the button way more transparent than this example!

The really harmless link:

Click to see adorable kitties!

The harmfull button, embeded from victim website using iframe:

The overlayed result:

Click to see adorable kitties!

Retry

Retry without CSP

Check the other showcases