Navigate to the Home page of the OWASP Mutillidae II.
Switch to Burp, and from the top-level menu, select Burp Clickbandit:
A pop-up box explains the tool. Click the button entitled Copy Clickbandit to clipboard:
Return to the Firefox browser, and press F12 to bring up the developer tools. From the developer tools menu, select Console, and look for the prompt at the bottom:
At the Console prompt (for example, >>), paste into the prompt the Clickbandit script you copied to your clipboard:
After pasting in the script into the prompt, press the Enter key. You should see the Burp Clickbandit Record mode. Click the Start button to begin:
Start clicking around on the application after it appears. Click available links at the top Mutillidae menu, click available links on the side menu, or browse to pages within Mutillidae. Once you've clicked around, press the Finish button on the Burp Clickbandit menu.
You should notice big red blocks appear transparently on top of the Mutillidae web pages. Each red block indicates a place where a malicious iframe can appear. Feel free to click each red block to see the next red block appear, and so on:
Once you wish to stop and save your results, click the Save button. This will save the Clickjacking PoC in an HTML file for you to place inside your penetration test report.
