Basic clickjacking with CSRF token protection
Description
This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word "click" on a decoy website.
To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted.
You can log in to your own account using the following credentials: wiener:peter
Appraoch
After accessing the lab, I logged in with the provided credentials to locate the account deletion functionality and understand how the page works. I discovered that the user can delete their account by visiting https://0af0008e04ac50ab82e7747500ac00f5.web-security-academy.net/my-account and clicking the "Delete account" button.
To exploit this, I created a page that contains an iframe with the account deletion page. The iframe is invisible to the user to avoid detection, and I added a "CLICK ME" prompt that will entice the user to click. Here is the malicious HTML page hosted on the provided exploit server:
This HTML page has two main elements: an iframe and a div. The iframe contains the victim's /my-account page and is set to a relative position in CSS, meaning it remains within the normal document flow. The div, containing the "CLICK ME" text, has an absolute position, meaning it does not affect the layout of other elements and is not affected by them.
When the victim visits this exploit page, they will see only the "CLICK ME" text. Clicking this text, which is not an actual link or button, triggers the underlying "Delete account" button in the invisible iframe, which has an opacity of 0.00001, making it virtually invisible to the user.
By copying this exploit into the body of the HTML page on the exploit server and delivering it, the lab is solved, confirming the deletion of the victim's account.