⚠️ Authorised Testing Only. All clickjacking techniques in this guide must be tested only against targets covered by an explicit bug bounty programme scope or systems you own. Building PoC exploits targeting third-party applications without authorisation violates computer misuse laws. All exercises target PortSwigger Web Security Academy labs, your own DVWA, or programme-approved targets only.
Clickjacking Bug Bounty 2026 :— I once reported a clickjacking finding on an account deletion endpoint, included a two-line PoC, and received a $1,200 payout within 48 hours. The fix was adding a single HTTP response header. The vulnerability had existed for years. Dozens of hunters had tested that endpoint and passed over it because clickjacking has a reputation for being low-severity. They were looking at the wrong pages. Clickjacking on an informational page is worth nothing. Clickjacking on a page where one click deletes your account, transfers your money, or authorises a malicious OAuth app is worth as much as any other critical finding. The technique is simple. The skill is knowing which pages to frame.
🎯 What You’ll Master in Day 20
Understand exactly how clickjacking works at the browser and HTTP header level
Detect missing X-Frame-Options and CSP frame-ancestors with Burp Suite and manual checks
Identify high-value frameable actions that produce paid bug bounty reports
Build PoC exploits using raw HTML iframes and Burp Clickbandit automation
Chain clickjacking with CSRF to escalate Medium findings to Critical severity
Write bug bounty reports that get triaged and paid rather than rejected as informational
⏱️ 40 min read · 3 hands-on exercises · Day 20 of 60
Day 19 covered CSRF — cross-site request forgery — where forged requests trigger actions without user awareness. Day 20’s clickjacking is a related but distinct attack vector: instead of forging the request, you hijack the legitimate user interaction itself. The victim genuinely clicks, but they click on something different from what they believe they’re clicking on. Together, CSRF and clickjacking form the complete picture of client-side action hijacking — two techniques that every bug bounty hunter must know cold.
How Clickjacking Actually Works at the Browser Level
Clickjacking — also called UI redressing — exploits the browser’s ability to embed external pages inside iframes. An attacker creates a malicious web page that contains the victim’s target application in a transparent iframe layered over a deceptive UI. The iframe is positioned so that a sensitive button on the real application — the “Delete Account” button, the “Confirm Transfer” button, the “Authorise App” button — is precisely aligned under something the victim would genuinely want to click on the attacker’s page.
The browser renders both the attacker’s page and the iframe simultaneously. From the victim’s perspective, they see only the attacker’s page — the transparent iframe makes the underlying application invisible. When they click what appears to be the attacker’s button, the click event actually passes through to the invisible application underneath. The victim has just performed an authenticated action on the real application without knowing it. Their session cookies, authenticated state, and all permissions are fully active because it’s their browser loading the real page — the application has no way to know the click came through an iframe overlay.
The browser-level protection against this attack comes from HTTP response headers. When a server includes X-Frame-Options: DENY in its response, the browser refuses to render that page inside any iframe. X-Frame-Options: SAMEORIGIN allows same-origin frames only. The modern replacement is the Content Security Policy frame-ancestors directive — frame-ancestors 'none' blocks all framing, frame-ancestors 'self' allows same-origin. When both protections are absent, the page can be framed by any domain, and the entire clickjacking attack surface opens up.
Browser Behaviour Note: Modern browsers (Chrome 80+, Firefox 75+, Safari 14+) all honour CSP frame-ancestors over X-Frame-Options when both are present. For a finding to be completely protected, either CSP frame-ancestors must be set, or X-Frame-Options must be set, or both. Missing only one of the two is still a finding if the missing one is CSP frame-ancestors, because that’s the modern standard.
securityelites.com
HTTP Response Header Audit — Protected vs Vulnerable
✅ PROTECTED RESPONSE
HTTP/2 200 OK
X-Frame-Options: DENY
Content-Security-Policy:
frame-ancestors ‘none’
Content-Type: text/html
Browser refuses to render in iframe
❌ VULNERABLE RESPONSE
HTTP/2 200 OK
X-Frame-Options: [MISSING]
Content-Security-Policy: [MISSING]
Content-Type: text/html
Page renders in any cross-origin iframe
📸 The detection is binary: either both headers are present and the page is protected, or at least one is missing and the page is potentially frameable. In Burp Suite Proxy History, check the Response tab for every sensitive page you test. The absence of both X-Frame-Options and Content-Security-Policy with frame-ancestors in the same response is your trigger to build a PoC.
Detection — Finding Missing Framing Protection with Burp Suite
Detecting clickjacking vulnerabilities is straightforward once you understand what you’re looking for in HTTP response headers. The challenge isn’t the detection itself — it’s doing it efficiently across large applications with hundreds of endpoints and knowing which responses are worth checking in detail. My workflow combines Burp Suite’s passive scanner (which flags missing X-Frame-Options automatically) with manual header review for high-value sensitive action endpoints that I identify by browsing the application.
When Burp Suite’s spider or manual browsing captures responses, the passive scanner runs automatically and adds “Missing X-Frame-Options header” issues to the Issues tab for every response missing the header. This gives you a map of the entire frameable surface of the application. Your next step is triage — not every missing header represents a viable bug bounty finding. You need to cross-reference the list of frameable URLs with the application’s sensitive action inventory to find the intersection where real impact exists.
DETECTING CLICKJACKING — BURP SUITE AND MANUAL CHECKS
# If page renders in iframe: frameable. If blank/error: protected.
One important nuance to understand: some pages set X-Frame-Options or CSP frame-ancestors on the main document response but not on sub-resources or API responses that populate the page. For clickjacking purposes, what matters is the header on the page the victim would need to be viewing — the page that contains the sensitive action button. Always check the specific response for the sensitive action page, not just the homepage or login page headers.
🛠️ EXERCISE 1 — BROWSER (12 MIN · NO INSTALL)
Audit Three Real Websites for Clickjacking Vulnerability
⏱️ 12 minutes · Browser only — no tools, no install required
You’ll use browser developer tools to check HTTP headers — the same fundamental check that professional bug bounty hunters perform on every target.
Step 1: Open your browser. Go to any website with user accounts
(try a social media platform, a portfolio site, or any service you use).
Navigate to a settings page — ideally account deletion or password change.
Step 2: Open Developer Tools (F12). Go to Network tab.
Reload the page. Click on the main document request (first request, type=document).
Click “Headers” and look at the Response Headers section.
Search for: X-Frame-Options and Content-Security-Policy.
Step 3: Note what you find:
– Both present → protected
– X-Frame-Options present, no CSP frame-ancestors → partially protected
– Neither present → potentially frameable
Step 4: Check 3 different sensitive pages on 3 different sites.
For each, record:
– The URL
– Whether X-Frame-Options is present (and its value)
– Whether CSP frame-ancestors is present (and its value)
– Your assessment: is this page potentially frameable?
✅ What you just learned: HTTP header inspection is a fundamental skill that applies to every web vulnerability class, not just clickjacking. The Network tab in developer tools gives you the same information Burp Suite proxy captures — for quick checks, the browser is sufficient. You’ll often find production websites from major companies missing one or both framing headers on their settings pages. This is the finding. The next step is always: is there a sensitive action on this page? If yes — you have a potential bug bounty submission.
📸 Screenshot the Network response headers from one of your checks — blurred URL if preferred. Post to #day-20-clickjacking on Discord with your findings.
Which Pages Are Worth Framing — Impact Assessment
This is where most beginners go wrong with clickjacking. They find missing X-Frame-Options on a login page or a homepage, build a PoC, submit it, and get back a rejection: “Informational — no sensitive action affected.” Triagers have seen thousands of these submissions. Missing framing headers on a page with no sensitive action is a best practice violation, not a security vulnerability. To get paid, you need to find the intersection of two conditions: the page is frameable, and the page contains a sensitive action that causes real harm if triggered without the victim’s intent.
The hierarchy of valuable clickjacking targets starts with the most impactful: account deletion with no confirmation step, one-click financial transfers or purchases, OAuth authorisation endpoints where one click grants an attacker’s app access to the victim’s account, admin panel actions like user privilege escalation or account deactivation, and password change pages on applications that don’t require the current password. Below these sit medium-value targets: profile data modification, subscription changes, privacy setting toggles, and connected application authorisations. The bottom tier — login pages, public content, search functionality — rarely produces viable findings.
⚠️ Common Rejection Scenario: “I found missing X-Frame-Options on the login page.” This is almost always rejected. The login page has no sensitive action — the attacker can’t steal credentials through a click overlay, they’d need to capture typed input which requires a different attack (not clickjacking). Focus exclusively on post-authentication pages where sensitive actions can be triggered with a single click.
📸 Clickjacking impact triage matrix. Severity and payout are almost entirely determined by which page is frameable and what action that page enables. The exact same missing header finding earns $0 on a login page and $2,000 on an account deletion page. Always map the frameable pages to their associated actions before deciding whether to build a PoC and submit.
Building a Clickjacking PoC — The HTML Iframe Method
A proof-of-concept for clickjacking demonstrates that a victim can be made to perform a sensitive action without intending to. The PoC must include a realistic decoy that a victim would actually click — not just a blank page with a transparent iframe. Triagers need to be able to run the PoC and see the attack work in their browser. A PoC that requires expert knowledge to set up or that doesn’t visually demonstrate the overlap will slow down triage and may lead to a lower severity rating.
The HTML structure is simple: an outer div containing two layers. The bottom layer is the target application’s sensitive page in an iframe styled with opacity: 0.00001 (functionally transparent but technically present in the DOM — some browsers reject opacity: 0). The top layer is your decoy, positioned absolutely over the iframe at precisely the coordinates of the target’s sensitive button. The iframe is sized to match the target page’s layout, and the decoy button is positioned using CSS absolute positioning to align exactly with the action button underneath.
CLICKJACKING PoC — HTML IFRAME TEMPLATE
<!– Save as clickjacking_poc.html — open in browser to test –>
# 3. Change opacity back to 0.00001 for the real PoC
# 4. Test in an authenticated browser session
When calibrating the PoC, use opacity: 0.5 temporarily so you can see both layers simultaneously. Adjust the top and left CSS values of the decoy button until it appears to overlap the target’s real action button. Once perfectly aligned, reduce the opacity to 0.00001 and test the click. If the target action fires when you click the decoy — and the iframe was genuinely invisible — your PoC is ready. Document the exact pixel values and include them in your report so triagers can reproduce without guessing.
Burp Clickbandit — Automated PoC Generation
Manually calibrating iframe pixel positions is time-consuming when you have many targets to test. Burp Suite’s Clickbandit tool eliminates this problem entirely. Clickbandit records your interactions with the real target page, identifies the precise positions and sizes of the buttons you click, and generates a polished PoC HTML file automatically. The output is presentation-ready — the kind of PoC that impresses triagers because it requires no setup and works immediately when opened in a browser.
Clickbandit runs inside Burp Suite’s embedded Chromium browser. You navigate to the target page, launch Clickbandit, click the buttons you want to demonstrate being clickjacked, then export the PoC. The exported file contains all the necessary pixel calculations already done and typically includes a slider that lets the triage reviewer reveal the hidden iframe underneath the decoy layer — a powerful demonstration that makes the attack mechanism visually obvious.
BURP CLICKBANDIT — STEP-BY-STEP WORKFLOW
# Step 1: Open Burp Suite
# Navigate to: Burp menu (top bar) > Burp Clickbandit
# A new window opens with Clickbandit instructions
# Step 2: Copy the Clickbandit JavaScript (provided in the window)
# Open a separate browser tab, navigate to target URL
# Make sure you’re logged into the target application
# Step 3: Paste the Clickbandit JS into browser console (F12 > Console)
// Paste the Clickbandit script here and press Enter
// A red “Record” banner appears at the top of the page
# Step 4: Click “Start” in the Clickbandit banner
# Click the sensitive action button (e.g., “Delete Account”)
# Click “Finish” when done recording interactions
# Step 5: Toggle between “show” and “hide” overlay to verify alignment
# The slider reveals/hides the real iframe underneath the decoy
# Step 6: Save the PoC
# Click “Save” — Clickbandit downloads the PoC as an HTML file
# File includes the drag-to-reveal slider for triage demonstration
# Include this file as an attachment in your bug bounty report
# Triagers can open it in any browser to instantly reproduce the attack
securityelites.com
Burp Clickbandit — PoC Output with Reveal Slider
SLIDER: HIDDEN (attack mode)
🎁 Click to Claim Your Prize!
CLAIM NOW
Victim sees: attractive decoy page
SLIDER: REVEALED (proof mode)
⚠️ Delete Account
DELETE
Slider reveals: real target underneath
Clickbandit exports both views — the reveal slider makes the attack mechanism undeniable for triage
📸 Burp Clickbandit’s exported PoC includes an opacity slider that switches between the deceptive view (left — what the victim sees) and the revealed view (right — what they actually click). This dual-view demonstration is one of the most effective ways to communicate clickjacking impact to triagers who may not be familiar with the attack. Including this slider PoC in a bug bounty report eliminates any ambiguity about whether the attack is viable.
🌐 EXERCISE 2 — PORTSWIGGER WEB SECURITY ACADEMY (20 MIN)
Complete the Basic Clickjacking Lab on PortSwigger
Step 1: Go to portswigger.net/web-security/clickjacking
Register a free account if you don’t have one.
Click “Access the lab” for: “Basic clickjacking with CSRF token protection”
Step 2: Note the lab objective:
– The lab contains login functionality and a delete account button
– Your goal: construct a clickjacking attack that induces the victim to click “delete account”
– The victim user credentials are given on the lab page
Step 3: Build your HTML PoC
Using the template from the previous section, create clickjacking_poc.html.
Replace the src URL with the lab’s URL + /my-account.
Set the iframe opacity to 0.5 first to calibrate position.
Step 4: Calibrate the position
Find the “Delete account” button’s approximate position.
Adjust top/left values until your decoy overlaps the real button.
Reduce opacity to 0.00001.
Step 5: Host the file on the lab’s exploit server
The lab provides an exploit server — use it.
Paste your HTML, click “Store”, then “Deliver to victim”.
If done correctly, the lab marks as solved.
✅ What you just learned: PortSwigger labs simulate real triage conditions — the lab only marks as solved when your attack actually works against the victim user in an authenticated session. This forces you to build a working PoC rather than a theoretical one. The calibration process (adjusting top/left coordinates with the semi-transparent overlay) is the same process you’ll use on real bug bounty targets. Notice that the lab has a CSRF token on the form — yet clickjacking bypasses it entirely, because the victim’s own authenticated browser is making the request. This is why clickjacking doesn’t need CSRF to work, but combining the two elevates impact even further.
📸 Screenshot the solved lab page. Post to #day-20-clickjacking on Discord with your PoC code and tag #portswigger-solved.
Chaining Clickjacking with CSRF for Critical Severity
Individual clickjacking vulnerabilities require user interaction — the victim must be on the attacker’s page and click the decoy element. This “requires user interaction” limitation is why standalone clickjacking typically lands at Medium severity. Chaining clickjacking with CSRF removes this limitation on certain applications and pushes the finding into High or Critical territory.
The chain works when the sensitive action on the frameable page uses either no CSRF token at all, or a CSRF token that is predictable, reused, or can be extracted through a secondary vulnerability. In this scenario, the attacker’s page loads the iframe transparently, uses JavaScript to submit the form automatically as soon as the page loads, and the action fires before the victim has even read the page — let alone clicked anything. Account deletion, permission grants, and financial transfers using this chain are Critical findings on virtually every major bug bounty programme.
Even without a full CSRF chain, clickjacking combined with a drag-and-drop technique can steal clipboard content or force OAuth authorisation in a single interaction. The PortSwigger Web Security Academy has an excellent series of chained clickjacking labs covering multi-step attacks, drag-and-drop clipboard theft, and frame-busting script bypass that are worth completing in full as part of this day’s study.
Writing Clickjacking Bug Bounty Reports That Get Paid
The quality of your report determines whether a valid finding gets paid or rejected. I’ve reviewed hundreds of bug bounty reports in my career and the most common reason a valid clickjacking finding gets downgraded or rejected isn’t the vulnerability itself — it’s that the hunter didn’t demonstrate realistic impact. “The page is missing X-Frame-Options” tells a triager you found a header. A full report with a working PoC, a documented victim scenario, and a calculated business impact tells them you found an attack. These two framings produce completely different outcomes.
CLICKJACKING REPORT TEMPLATE — COMPONENTS THAT GET PAID
## Title
Clickjacking on /account/delete Enables One-Click Account Deletion Attack
## Severity: High
## Summary
The account deletion endpoint at https://target.com/account/delete is
missing both X-Frame-Options and CSP frame-ancestors response headers,
allowing it to be embedded in a malicious iframe. An attacker can create
a deceptive page that invisibly overlays the deletion button with an
enticing decoy, causing authenticated users who visit the attacker’s
page to delete their own accounts with a single click.
## Impact
An attacker can permanently delete any authenticated user’s account by
luring them to a malicious page. Account deletion is irreversible per
the platform’s terms. This constitutes a significant loss of service and
data for the victim. Delivery vector: phishing email, social media link,
or any hyperlink the victim follows while authenticated.
## Steps to Reproduce
1. Log in to the target application as victim user
2. Open the attached clickjacking_poc.html in the same browser
3. Click the “Claim Your Prize” button
4. Observe: the account deletion form submits and account is deleted
## Evidence
– curl output showing missing headers (attached)
– Screen recording of full attack (attached)
– clickjacking_poc.html file (attached)
## Remediation
Add to all response headers:
Content-Security-Policy: frame-ancestors ‘none’
X-Frame-Options: DENY
⚡ EXERCISE 3 — BURP SUITE + DVWA (18 MIN)
Use Burp Clickbandit to Build a PoC Against Your Local DVWA
⏱️ 18 minutes · Kali Linux + DVWA running locally + Burp Suite
# With opacity:0.5 you should see both layers — calibrate the decoy position
# Step 5: Once aligned, change opacity to 0.00001 and test
# Click the “Click Here” decoy button — observe whether the CSRF form submits
# Step 6: Now use Burp Clickbandit for the same target
# Burp Suite > Burp menu > Burp Clickbandit
# Follow the Clickbandit steps — record, finish, save PoC HTML
# Compare the Clickbandit-generated PoC with your manual one
✅ What you just learned: Building the PoC manually first — before using Clickbandit — teaches you what Clickbandit is actually doing. You understand the iframe opacity trick, the z-index layering, and the pixel calibration that makes the attack precise. Clickbandit automates this process for speed, but hunters who understand the underlying mechanics can adapt when Clickbandit doesn’t work — for example, on pages that use frame-busting JavaScript that Clickbandit can’t automatically bypass. The manual approach gives you full control for complex chains.
📸 Screenshot both your manual PoC (with semi-transparent overlay showing alignment) and the Clickbandit-generated output side by side. Post to #day-20-clickjacking with tag #burp-clickbandit.
🧠 QUICK CHECK — Day 20 Clickjacking
You find that a major platform’s account deletion page at /settings/delete is missing both X-Frame-Options and CSP frame-ancestors. You build a PoC showing the transparent iframe overlay. But when you submit the report, triage responds: “Missing X-Frame-Options is a best practice violation but requires user interaction and social engineering — we’re marking this as Informational.” What’s the most effective response?
📋 Commands Used Today — Day 20 Clickjacking Reference Card
curl -sI [url] | grep -iE “x-frame|content-security”Quick header check — no output means both headers missing = frameable
iframe opacity: 0.00001Functionally transparent iframe — use 0.5 to calibrate, then reduce
Burp > Burp ClickbanditAutomated PoC generator — record interactions, exports ready-to-submit HTML
X-Frame-Options: DENYRemediation — blocks all cross-origin framing
Content-Security-Policy: frame-ancestors ‘none’Modern remediation — always include alongside X-Frame-Options
🏆 Mark Day 20 Complete — Clickjacking Bug Bounty 2026
You now have a complete clickjacking methodology from header detection to PoC generation to paid report. Day 21 covers HTTP Request Smuggling — a server-side parsing vulnerability with far more complex discovery mechanics but potentially critical-severity findings on major platforms.
Clickjacking is a UI redressing attack where an attacker embeds a target application in a transparent iframe and overlays it with a deceptive interface. The victim clicks on what appears to be the attacker’s page but actually activates a sensitive action on the hidden application. Valid bug bounty findings require a frameable page containing a sensitive action — not just a missing header on an informational page.
What headers prevent clickjacking?
X-Frame-Options: DENY or SAMEORIGIN, and Content-Security-Policy: frame-ancestors ‘none’ or ‘self’. Both should be present. CSP frame-ancestors is the modern standard and takes precedence in modern browsers. A page missing both headers on a sensitive action endpoint is a valid bug bounty finding.
Is clickjacking always a valid bug bounty finding?
No. Missing framing headers on login pages, informational pages, or pages without sensitive actions are typically rejected as informational. Valid findings require the frameable page to contain a sensitive one-click action — account deletion, password change, OAuth authorisation, financial transactions — that causes real harm if triggered without intent.
How do I escalate clickjacking to higher severity?
Chain with CSRF. If the sensitive action has no CSRF token or a bypassable one, the combined attack eliminates the user interaction requirement — the action fires automatically when the victim loads the page. This elevates from Medium to High or Critical. Also include a realistic delivery scenario in your report, and a screen recording demonstrating the attack against an authenticated session.
What Burp Suite features are used for clickjacking testing?
Burp Clickbandit (Burp menu > Burp Clickbandit) automates PoC generation — navigate to the target, record interactions with the sensitive button, and export a polished PoC HTML with a reveal slider. Burp’s passive scanner also auto-flags missing X-Frame-Options during proxy interception, giving you a quick frameable surface map.
What payout range can I expect for clickjacking findings?
Ranges vary by programme and impact: login/public pages = $0 (rejected), profile modification = $100–$300, password/email change = $300–$800, account deletion = $500–$2,000, OAuth authorisation endpoint = $1,500–$5,000+. A well-documented PoC with clear impact always earns more than a bare header check. The clickjacking+CSRF chain on a major platform can reach critical severity payouts.
← Previous
Day 19: CSRF Bug Bounty 2026
Next →
Day 21: HTTP Request Smuggling 2026
📚 Further Reading
Day 15: CSRF and Authentication Bypass— CSRF and clickjacking chain together for the highest-impact one-click account takeover findings — understand CSRF thoroughly before building combined PoCs.
Day 18: OAuth Bug Bounty 2026— OAuth authorisation endpoints are among the highest-value clickjacking targets — framing the OAuth consent page allows one-click token theft without any user suspicion.
60-Day Bug Bounty Course Hub— Full course hub — Day 20 clickjacking sits within the client-side attack phase covering Days 14–25 of the complete methodology.
OWASP Clickjacking Defence Cheat Sheet— Definitive remediation reference — X-Frame-Options vs CSP frame-ancestors comparison, legacy browser support considerations, and implementation examples for all major frameworks.
ME
Mr Elite
Owner, SecurityElites.com
The clickjacking report that changed how I think about vulnerability impact was a $1,200 payout on an account deletion endpoint. I initially wrote a short report: “The page is missing X-Frame-Options.” Triage responded: “Informational — requires user interaction.” I rewrote the entire report with a screen recording, a realistic phishing email scenario showing how the victim would be lured, and a note that the deletion was irreversible and contained no email confirmation step. The same vulnerability, the same missing header, the same technical finding — but an entirely different impact argument. Retriage: High severity, $1,200. The lesson was simple: triagers aren’t evaluating the bug, they’re evaluating the risk. Your job is to make the risk undeniable.
If you have any queries feel free to ask here.