https://ioctl.lol/tags/poc/Recent content in Poc on ioctlHugoenioctlMon, 16 Mar 2026 00:00:00 +0000https://ioctl.lol/tools/clickjacking-poc/Mon, 16 Mar 2026 00:00:00 +0000https://ioctl.lol/tools/clickjacking-poc/<h2 id="whats-clickjacking">What&rsquo;s clickjacking</h2> <p>Target page gets loaded in an invisible iframe. Overlay it on a decoy page. Victim thinks they&rsquo;re clicking &ldquo;Free iPad&rdquo; but they&rsquo;re actually clicking &ldquo;Delete My Account&rdquo; on the real site underneath.</p> <p>It&rsquo;s been around forever and the fix is trivial, which makes it surprising how often it&rsquo;s still missing.</p> <hr> <h2 id="the-fix-and-what-were-testing-for">The fix (and what we&rsquo;re testing for)</h2> <p>Two headers kill this attack:</p> <pre tabindex="0"><code>X-Frame-Options: DENY </code></pre><p>or</p> <pre tabindex="0"><code>Content-Security-Policy: frame-ancestors &#39;none&#39; </code></pre><p><code>DENY</code> blocks framing entirely. <code>SAMEORIGIN</code> / <code>frame-ancestors 'self'</code> allows same-origin framing only. If neither header is present, the page can be framed by anyone.</p>