How I Earned $350 Exploiting Clickjacking Vulnerability to Trigger XSS Attack

Hello researchers, my name is Abdul Rehman Parkar, and I work at IZYITS.

In today’s write-up, we will dive into a Clickjacking vulnerability and explore how I was able to exploit it to trigger a Self XSS attack through a chat bot. By leveraging this vulnerability, I was able to trick users into pasting a malicious payload into the chat bot, which then executed on their browser, potentially exposing sensitive information.

So Let’s get started by first understanding what Clickjacking and XSS are.

Clickjacking is a type of attack that tricks users into clicking on something different from what they perceive, effectively hijacking their clicks. This technique can overlay or hide elements on a web page, making users interact with malicious content without realizing it.

Cross-Site Scripting (XSS), on the other hand, is a vulnerability that allows attackers to inject malicious scripts into webpages viewed by other users. By doing so, they can potentially steal sensitive information, modify content, or take control of user sessions.