Clarification regarding 'Exercise 03 - Question 2A'

0 votes

As part of the requirements for the exercise 3, and in question 2, the following is mentioned: "The attackers button MUST NOT execute an alert". 

My understanding is that you mean when the clickjacking happens in the 'attacker.html', and when the user *thinks* they click on the 'Click Here' button, that the alert that is set in the button in the 'victim.html' should not pop up (i.e, the user should not understand their click is being highjacked).

Could you please confirm that my understanding of the requirement is correct? Many thanks in advance.

in ex03 by (130 points)
edit history

1 Answer

+1 vote

The requirement means that the visible button in attacker.html must not have its own alert handler or directly trigger an alert. However, if the click is successfully redirected to the button on victim.html and that button shows an alert, this is expected and demonstrates that the clickjacking attack worked.

by (280 points)
edit history