I have a clickjacking vulnerable endpoint https://www.example.com/myaccount.
At this endpoint there is a block which display the user's API key , which have both public and private keys.
I was able to load the respective endpoint in iframe when the user is logged in.
I did the iframe using the below code
<div qjid="quickjack" style="overflow: hidden; width: 775px; height: 227px; position: relative;" id="cksl6">
<iframe name="cksl7" src="https://vulnerableendpoint.example.com/my-account" style="border: 0pt none ; left: -267px; top: -1377px; position: absolute; width: 2880px; height: 1642px;" scrolling="no"></iframe></div>
The above code successfully loaded the respective vulnerable endpoint
Requirement
I need to create an overlay with junk content and when the junk content is copied , the API keys which is under the overlay should be copied.
One thing to notice , the private key is hidden , it needs to be shown in plaint text by clicking the
Showbutton similar to show password
How can I achieve it using javascript ?