Hello, I consider this new report to be similar to issue #5 which is currently open. Best regards, -- Thibaud Antignac CEA List From: security &lt;security-bounces(a)server.sparta.eu&gt; on behalf of Security Researcher &lt;vaishnaviresearcher(a)gmail.com&gt; Date: Thursday 26 November 2020 at 17:46 To: &quot;security(a)sparta.eu&quot; &lt;security(a)sparta.eu&gt; Subject: [security] BUG REPORT Dear Team , I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your site report of bug is as follows : a) Vulnerability name : clickjacking (CRITICAL) b) Vulnerability Description : Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. c) Steps to reproduce : 1. Copy URL of website and paste it in clickjacking code 2. This is sample code Create a new HTML file put <iframe src="https://www.sparta.eu/" id="frame1" width="100%" height="100%" > 3. Open html file with another browser and click on click here and see it is redirected to bing.com<http://bing.com/> . d) POC : I have attached Screenshot as well as code of clickjacking : <html> <head> <title>Clickjack test page</title> </head> <style> #myBtn{ z-index: 999; position: absolute; top: 100px; right: 50px; color: white; background-color: red; } </style> <body> <!-- <h1> A Sample Test Page </h1> <p>Website is vulnerable to clickjacking! </p> <p>Avoid random clicks </p> --> <div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%"> <iframe src="https://www.sparta.eu/" id="frame1" width="100%" height="100%" > </iframe></div> <div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;"> <a href="https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC0… target="_blank"><button id="myBtn"> click here</button></a> <div id="myModal" class="modal"> <!-- Modal content --> </div> </body> </html> e) Solution : There are two main ways to prevent clickjacking: Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains Employing defensive code in the UI to ensure that the current frame is the most top level window Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). f) Impact: By using Clickjacking technique, an attacker hijack click's meant for one page and route them to another page, most likely for another application, domain, or both. With Kind regards , Vaishnavi Pardeshi