Burp Clickbandit makes it quicker and easier to test for clickjacking vulnerabilities. This is when an attack overlays a frame on a decoy website to trick a user into clicking on actionable content. Clickbandit enables you to create an attack to confirm that this vulnerability can be successfully exploited. You use your browser to perform actions on a website, then Clickbandit creates an HTML file with a clickjacking overlay.
Burp Clickbandit runs in your browser using JavaScript. It works on all modern browsers except for Edge.
Exercise caution when running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can subvert the HTML output that is generated by Burp Clickbandit.
Follow these steps to set up a Clickbandit attack:
The Clickbandit banner appears at the top of the browser window.
To run a clickjacking attack using Burp Clickbandit:
The target page handles clicks in the normal way. To disable this, select Disable click actions.
To avoid frame busters, select Sandbox iframe. This adds the sandbox attribute to the iframe.
Once you have completed the attack, you can review the attack UI overlaid on the original page UI. Click the buttons on the attack UI to check that the attack works.
The following commands are available: