Clickjacking Test Page

To test whether a site is vulnerable to clickjacking, create an HTML page similar to the following, changing the URL highlighted in RED to point to your target site:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>You’ve been clickjacked!</p>
<iframe sandbox="allow-scripts allow-forms" src="http://localhost:8080" style="width:100%;height:90%"></iframe>
</body>
</html>

If you see the text “You’ve been clickjacked!” at the top of the page, your site is vulnerable. With a clickjacking defense script installed, your site should break out of the site that is framing it and that text will not be displayed. If the user’s browser has Javascript turned off, the target site should not display at all.