I am working on a school project and the goal is a rather difficult click jacking. I am using a virtual machine and a host-based domain. Essentially, I have a very vulnerable shopping website and I am trying to overlay iframes on top of some buttons on the site.
My first approach I created an iframe when the user clicked my "eViL" Button to host the vulnerable website in. From here I have tried inserting more iframes based off of the page after it loads (since the buttons are dynamic). I have tried doing this by doing something like this:
iframe.onload = function(){
var innerDoc = iframe.contentWindow.document;
};
However, I soon realized that this just causes an error because of the Same Origin Policy of the Browser.
My second approach that I can think of is possibly sending some script tags through a GET request. However, I am not quite sure how to go about doing it as I am not super familiar with Javascript or HTML. I'm sure it will have to be a little hacky to do it by escaping characters and what not but, is it really possible to do it this way?
My second kind of overall question is was my logic from my first attempt flawed? Or was there another way to go about doing this whole process? Which approach seems to be the correct one here?