Click Jacking Test Script

Some of you may have been observant and noticed that Nikto has alerted about the lack of the X-Frame-Options header from web servers. This headers gives hints to the user agent on how it should be handled from within a frame, effectively preventing click-jacking, or the overlaying of information over a frame to fool a user into clicking on something they don't want to.

If your company's QA processes are anything like those of the company I work for, then every presented issue should be provided with evidence. A one line output from Nikto saying "The anti-clickjacking X-Frame-Options header is not present" just doesn't cut the mustard: not only does it not prove much, it could also be a false positive as frame breaking JavaScript may be in use.

So, the simplest solution is to create an HTML page to load your chosen target in a browser and then overlay content over the top to show how easy it is to perform.

For this the attached HTML page, will do this. Enter the URL in the input box and press load to load it into an iframe. Then when you need to take that all important screenshot, you can hide the form using the toggle button on the top right.


Warning it may not work correctly on Internet Explorer as IE (still) doesn't follow standards.

The click jacking test page can be downloaded here: clickjacking-test.html.zip