Lab2 - Clickjacking with form input data prefilled from a URL paramet

Date : 12 Mar, 2025

Log in to the account on the target website. (credentials: wiener:peter)
Go to the exploit server and paste the following HTML template into the "Body" section:

<style> iframe { position:relative; width:$width_value; height: $height_value; opacity: $opacity; z-index: 2; } div { position:absolute; top:$top_value; left:$side_value; z-index: 1; } </style> <div>Test me</div> <iframe src="YOUR-LAB-ID.web-security-academy.net/my-account?email=hacker@attacker-website.com"></iframe>
Make the following adjustments to the template:
- Replace YOUR-LAB-ID with your unique lab ID so that the URL points to the target website's user account page, which contains the "Update email" form.
- Substitute suitable pixel values for the $height_value and $width_value variables of the iframe (we suggest 700px and 500px respectively).
- Substitute suitable pixel values for the $top_value and $side_value variables of the decoy web content so that the "Update email" button and the "Test me" decoy action align (we suggest 400px and 80px respectively).
- Set the opacity value $opacity to ensure that the target iframe is transparent. Initially, use an opacity of 0.1 so that you can align the iframe actions and adjust the position values as necessary. For the submitted attack a value of 0.0001 will work.

Click Store and then View exploit.
Hover over "Test me" and ensure the cursor changes to a hand indicating that the div element is positioned correctly. If not, adjust the position of the div element by modifying the top and left properties of the style sheet.
Once you have the div element lined up correctly, change "Test me" to "Click me" and click Store.
Change the email address in your exploit so that it doesn't match your own.
Deliver the exploit to the victim to solve the lab.

Abstract

Motive / Objective:

The goal of this lab is to trick a victim into unknowingly updating their email address to one controlled by the attacker by using a clickjacking attack.

In short: You deceive the user into clicking a visible decoy button (“Click me”) which is placed directly over a hidden iframe targeting the “Update email” form on the target site.

What's Happening in This Lab:

The lab has a vulnerable web app where logged-in users can update their email address via a form at:
/my-account?email=attacker@evil.com
Your job is to embed this form in an invisible iframe on your own attack site.
Then place a fake button ("Click me") directly on top of the real “Update email” button.
When the victim clicks the fake button, it actually submits the form and updates their email to the attacker’s.