⚠️ EDUCATIONAL DEMO: This page simulates an attacker's website to demonstrate the X-Frame-Options missing vulnerability. No actual data is accessed or submitted.

Clickjacking Attack Demo

Because X-Frame-Options is missing, the real school page can be silently embedded inside this attacker-controlled page.

THE SECURITY RISK IN PLAIN ENGLISH

A website that should only appear on its own domain can be loaded invisibly inside any other website.

Think of it like a window with no blinds. Normally, websites have a setting that says: "I am not allowed to appear inside anyone else's page." That setting is missing here — so any website in the world can silently load the school portal inside their page, completely invisible to the visitor.

The fix is one line. Adding X-Frame-Options: SAMEORIGIN tells every browser in the world: "Refuse to load this page inside any foreign site." The attack becomes physically impossible — the browser simply will not cooperate.

STEP 1
Attacker builds a fake page
A "Win a Prize!" or "Free Scholarship" page is created and spread via social media / email.
STEP 2
Real site embedded invisibly
The real login page is loaded in a near-invisible <iframe> positioned beneath the fake button.
STEP 3
Victim clicks → real site acts
When the victim clicks "Claim Prize", they are actually clicking a button on the real site — submitting credentials or triggering actions.
STEP 4
Session hijacked / action taken
Attacker can trigger enrollment, payments, data changes — all while the victim thinks they clicked a harmless button.
Enter any school portal URL to test it live
⬇ ATTACKER'S PAGE (what a student/parent sees)
🔓 win-free-scholarship.com/claim The victim sees THIS URL, not the school's
🛡️

Site is Protected Against Clickjacking

This school's site returns X-Frame-Options: SAMEORIGIN or a frame-ancestors CSP directive. The browser refuses to load it inside an iframe — making this attack impossible.

This is what Ocean enforces by default on every page it serves.

drag to align with a button on the real site
X-RAY MODE iframe opacity: 1.0
💡 X-Ray mode: iframe is fully visible so you can see the overlap. Attack mode: iframe drops to near-invisible (0.01) — victim only sees the green button, but their click lands on the real form beneath it. Drag the green button to align it over any real button on the target page, then switch to attack mode.

❌ Current State (Vulnerable)

  • No X-Frame-Options header returned by the server
  • No frame-ancestors directive in Content-Security-Policy
  • Any website can embed the school portal in an invisible iframe
  • Students/parents can be tricked into submitting credentials
  • Attacker can silently trigger enrollment, payments, profile changes

✅ Fix (One Server-Side Line)

  • Add HTTP header: X-Frame-Options: SAMEORIGIN
  • Or via CSP: Content-Security-Policy: frame-ancestors 'self'
  • Browser immediately refuses to load page inside any foreign iframe
  • Laravel built-in: enable FrameGuard middleware in Kernel.php
  • This attack becomes impossible with a single config change
SchoolBreach .org Free vulnerability scanner for K-12 schools
This demo is for educational and security awareness purposes only.
No data is accessed, stored, or transmitted.

⚠️ What the Attacker Just Gained

🎣 SCENARIO A — Victim Not Logged In

  • Victim types username + password into what looks like a prize claim form
  • Attacker captures the credentials via a transparent input overlay
  • Attacker logs in as the parent/student at any time
  • Can view grades, payment history, medical records, addresses

🖱️ SCENARIO B — Staff Member Already Logged In

  • No password needed — their active session does the work
  • Teacher: iframe over "Submit Grades" → grades locked/altered in teacher's name
  • Finance staff: iframe over "Confirm Payment" → fraudulent transaction posted under their account
  • Registrar: iframe over "Enroll Student" → enrollment records silently manipulated
  • Principal: iframe over "Approve Grades" → entire grade batch approved without their knowledge

The victim — whether a parent, teacher, or finance officer — sees only the green button and a thank-you message.
The attacker doesn't need to hack anything. One staff member clicking one link is enough.