SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 19 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.


  • Authors: Chris Le Roy
  • Source Code:
  • License: 1.0
  • License: GPL
  • Release date: 2015-08-15

ClickJacking is a longstanding vulnerability which has been around since the inception of the World Wide Web. With ClickJacking, it's easy for attackers to acquire user-submitted credentials.

To raise awareness of this issue, we introduced Jack, part of our Web Application toolkit, and launched it at the BlackHat Arsenal in Amsterdam in 2015.

Jack allows implementers to test if a specific web resource is vulnerable to ClickJacking and if so, allows the easy generation of a ClickJacking Proof of Concept (PoC) in order to trick users into submitting credentials.

Features Include:

  • Drag 'n Drop functionality for users to position and create malicious elements in order to capture user-submitted input.
  • Ability to generate local PoC instances of the ClickJackable resource and deploy to a web container, such as Apache

Using Jack

Jack is web based and requires a web server to serve its HTML and JavaSript content. This can be remotely or locally. To install, git clone the directory and copy the contents into a folder that is accessible to the web server. Finally, open "index.html" with your browser and you are ready to use it.

Jack also includes a new payload option for custom JavaScript, which when created, will be executed by the browser when Jack’s login button is clicked on the PoC page. Another little option in the new jack is that you can now save the PoC generated page and save the contents to be served by something like Apache just in case you want to take your PoC to the next level with malicious domains etc.

Jack in Action

Vanilla Jack loaded with no target but all “viewable” elements are Drag and Drop-able

Google Gruyere used as target to be loaded into Jack with UI elements now Drag and Droppable

Jack’s “View” of the current PoC with no custom styling

PoC with custom styling and malicious elements to capture user credentials

PoC “View” with custom styling.

Complete configuration with custom styling and positioning of elements.

Obtaining Jack

Jack can be downloaded from our Github page