creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
aa1fc4083ddcd4792c47ed6ad5b7784eff09f891
Anthropic-Cybersecurity-Skills/skills/performing-clickjacking-attack-test/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

59 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: Performing Clickjacking Attack Test
## HTTP Security Headers
| Header | Values | Description |
|--------|--------|-------------|
| `X-Frame-Options` | `DENY`, `SAMEORIGIN`, `ALLOW-FROM uri` | Legacy frame embedding control |
| `Content-Security-Policy: frame-ancestors` | `'none'`, `'self'`, URLs | Modern CSP-based frame control |
## requests Library
| Method | Description |
|--------|-------------|
| `requests.get(url, allow_redirects=True)` | Fetch page and follow redirects |
| `response.headers.get("X-Frame-Options")` | Extract frame protection header |
| `response.headers.get("Content-Security-Policy")` | Extract CSP header |
## PoC HTML Elements
| Element | Purpose |
|---------|---------|
| `<iframe src="target" style="opacity:0">` | Invisible target frame overlay |
| `<div class="decoy">` | Visible decoy content beneath frame |
| `sandbox` attribute | Bypass JS frame-busting on iframe |
## JavaScript Frame-Busting Patterns
| Pattern | Description |
|---------|-------------|
| `top.location !== self.location` | Check if page is framed |
| `window.top !== window.self` | Alternative frame detection |
| `parent.frames.length > 0` | Check for parent frames |
## Key Libraries
- **requests** (`pip install requests`): HTTP client for header analysis
- **selenium** (optional): Browser-based testing for JS frame-busting validation
- **beautifulsoup4** (optional): Parse HTML for embedded frame-busting scripts
## Configuration
| Variable | Description |
|----------|-------------|
| Target URL | Authorized target application URL |
| Endpoint paths | Application paths to test (login, settings, admin) |
## OWASP Testing Guide
| Test ID | Description |
|---------|-------------|
| WSTG-CLNT-09 | Testing for Clickjacking |
## References
- [OWASP Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
- [MDN X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
- [MDN CSP frame-ancestors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
- [PortSwigger Clickjacking](https://portswigger.net/web-security/clickjacking)
Reference in New Issue View Git Blame Copy Permalink