- Security - internal.sparta.eu

by Siddharth Researcher

Hello Team, I am Siddharth Zala working as a security researcher and I found a bug in your site report of bug is as follows : a) Vulnerability name: Clickjacking On Sensitive Page b) Vulnerability Description : Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects the Web Server. c) Steps to reproduce : 1. Copy the URL of the website and paste it in clickjacking code 2. This is sample code Create a new HTML file put <iframe src="https://sparta.eu/" id="frame1" width="100%" height="100%" > 3. Open the Html file with another browser and click on click here and see it is redirected to bing.com. d) POC : I have attached Screenshot as well as code of clickjacking : <html> <head> <title>Clickjack test page</title> </head> <style> #myBtn{ z-index: 999; position: absolute; top: 100px; right: 50px; color: white; background-color: red; } </style> <body>  <div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%"> <iframe src=" https://sparta.eu/" id="frame1" width="100%" height="100%" > </iframe></div> <div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;"> <a href=" https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B" target="_blank"><button id="myBtn"> click here</button></a> <div id="myModal" class="modal">  </div> </body> </html> e) Solution : There are two main ways to prevent clickjacking: Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains Employing defensive code in the UI to ensure that the current frame is the most top-level window Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). f) Impact: By using the Clickjacking technique, an attacker hijacks click's meant for one page and routes them to another page, most likely for another application, domain, or both. Warm Regards Siddharth Zala Security Researcher

4 years, 1 month

3
2
0 0

BUG BOUNTY

by pankaj lakshkar

*Pankaj here I found Vulnerability on your domain* https://sparta.eu/ *Vulnerability name:CSP: Wildcard Directive* *Description:* Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: *script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action* The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything. *Steps to reproduce:* 1)Go to : https://securityheaders.com/ 2) Enter host name https://sparta.eu/ *3)You will see CSP MISSING* *Solution:* Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header [image: image.png]

4 years, 1 month

1
0
0 0

Security vulnerability report :- Server Security Misconfiguration Clickjacking Vulnerability

by Shivam Pravin Khambe

Hello, SiR / Madam, sparta.eu Security Support Team, My Name Is* SHIVAM KHAMBE* From India. I Am *Security** Researcher's* *I Am Found Clickjacking Vulnerability ,* Your website deals with security issues. What is Click Jacking Vulnerability ? 1.Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. 2.The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking. This vulnerability affects Web Server. The Vulnerable Domain Is :- https://sparta.eu/ Step to Reproduce :- 1 :- I have given Expolit as follows. 2 :- Copy it to a Notepad copy and Past it Save as .html file 3 :- And double-click that file and open a new tab on the browser Expolit :- <html> <head> <title>Clickjack test page</title> </head> <body> <p><font size="5" color="#bf0000"> Website is vulnerable to clickjacking! 500x500</font></p> <iframe src="https://sparta.eu/" width="500" height="500"></iframe> </body> </html> Impact: *By using Clickjacking technique, an attacker hijack's click'smeant for one page and route them to another page, most likelyfor another application, domain, or both.* *REFERENCE Suggestions :* https://owasp.org/www-community/attacks/Clickjacking *# Everything is shown in the POC in a quick way ... *Best Regards,*

4 years, 3 months

1
0
0 0

Clickjacking misconfiguration bug

by Ridoy khan

Hi team, While performing security testing of your website i have found the vulnerability called Clickjacking. Many URLS are in scope and vulnerable to Clickjacking. What is Clickjacking ? Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. Steps to Reproduce / POC Vulnerable Urls:https://www.sparta.eu <https://www.solidpixels.net> Put every above url one by one in the code of iframe, which is given below <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title>I Frame</title> </head> <body> <h3>clickjacking vulnerability</h3> <iframe src="https://www.sparta.eu <https://www.solidpixels.net>"height="550px" width="700px"></iframe> </body> </html> By Ridoy Mia mdridoymia660(a)gmail.com Notice that site is visible in the Iframe POC is in the attachments. Thanks, waiting for your response. Impact Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attackers

4 years, 6 months

1
1
0 0

BUG REPORT

by Security Researcher

Dear Team, I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your website . Report of bug is as Follows . a) VULNERABILITY TYPE- SPF RECORD NOT FOUND b) HOW TO REPRODUCE(POC-ATTACHED IMAGE):- 1.GO TO- https://www.kitterman.com/spf/validate.html <https://mxtoolbox.com/> 2.put this " sparta.eu " and CLICK GET SPF RECORD 3.YOU WILL SEE THE FAULT(NO SPF RECORD FOUND ) 4.In the new page that loads shows NO SPF RECORD FOUND c) Impact *Not* having *SPF* (Sender Policy Framework) record for a domain may help an attacker to send spoofed email, which will look like, originated from the real domain. *Not* only that, but this will also result in land emails in the SPAM box when *SPF missing*. d) Solution : Enable SPF RECORD Kind regards , Vaishnavi Pardeshi

4 years, 7 months

1
1
0 0

No Spoofing Protection on. Email domain bug

by Royel Rana

Hi Team A DMARC record is the record where the DMARC rulesets are defined. This record informs the ISPs (like Gmail, Microsoft, Yahoo! etc.) if a domain is set up to use DMARC. The DMARC record contains the policy. The DMARC record should be placed in your DNS. The TXT record name should be “_ dmarc.yourdomain.com.” where “yourdomain.com” is replaced with your actual domain name (or subdomain). After DMARC has been implemented, it allows you to: Monitor, detect, and fix real-world problems with your email delivery See the email volumes you are delivering to inboxes (including which ones) Identify threat emails pretending to come from your domain (i.e., spoofing/phishing) Control the delivery of your email and defend against spoofing attacks. Steps To Reproduce: 1) Checking Missing DMARC:- There Are Various Ways of Checking Missing DMARC Records on a website But the Most Common and Popular way is mxtoolbox.com Steps to Check DMARC Records on a website:- Go to https://mxtoolbox.com Enter target ex: <http://layahealthcare.ie>sparta.eu <http://layahealthcare.ie> Not Add https/http or www) Hit MXlookup (IF ANY) OR you can simply on this link=> https://mxtoolbox.com/SuperTool.aspx?action=mx%3a <https://mxtoolbox.com/SuperTool.aspx?action=mx%3alayahealthcare.ie&run=tool…> <https://mxtoolbox.com/SuperTool.aspx?action=mx%3alayahealthcare.ie&run=tool…> sparta.eu <http://layahealthcare.ie>&run=toolpage <https://mxtoolbox.com/SuperTool.aspx?action=mx%3alayahealthcare.ie&run=tool…> If You seem any DMARC Record than Domain is Not Vulnle but still it can be vulnerable if you set "Policy for domain p=none" 2) Attack Scenario & PoC:- Once There is No DMARC Records. An Attacker Can Spoof Email Via any Fake Mailer Like Emkei.cz.An Attacker Can Send Email From name "Support" and Email: "support(a)target.com" With Social Engineering Attack He Can TakeOver User Account Let Victim Knows the Phishing Attack but When He See The Email from the Authorized Domain.He Got tricked Easily Exploit: Name: Hacked Email: security(a)sparta.eu <security(a)layahealthcare.ie> To - your email address etc 3) It will directly send a mail from security(a)sparta.eu <security(a)layahealthcare.ie> you in inbox, not in spam. Solution Once SPF and DKIM are in place, you configure DMARC by adding policies to your domain’s DNS records in the form of TXT records (just like with SPF or DKIM). The TXT record name should be dmarc.yourdomain.com where yourdomain.com is replaced with your actual domain name (or subdomain)and set Policy for domain p=reject For more details visit: https://www.dmarcanalyzer.com/how-to-create-a-dmarc-record Impact Attacker can use official career mail of security(a)sparta.eu <security(a)layahealthcare.ie> for phishing attack. Career email of sparta.eu <http://layahealthcare.ie> is security(a)sparta.eu <security(a)layahealthcare.ie> At it is from official mail, user will definitely trust it and will be tricked in phishing Thankspoo

4 years, 7 months

1
0
0 0

BUG REPORT

by Security Researcher

Dear Team , I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your site report of bug is as follows : a) Vulnerability name : clickjacking (CRITICAL) b) Vulnerability Description : Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. c) Steps to reproduce : 1. Copy URL of website and paste it in clickjacking code 2. This is sample code Create a new HTML file put <iframe src="https://www.sparta.eu/" id="frame1" width="100%" height="100%" > 3. Open html file with another browser and click on click here and see it is redirected to bing.com . d) POC : I have attached Screenshot as well as code of clickjacking : <html> <head> <title>Clickjack test page</title> </head> <style> #myBtn{ z-index: 999; position: absolute; top: 100px; right: 50px; color: white; background-color: red; } </style> <body>  <div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%"> <iframe src="https://www.sparta.eu/" id="frame1" width="100%" height="100%" > </iframe></div> <div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;"> <a href=" https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B" target="_blank"><button id="myBtn"> click here</button></a> <div id="myModal" class="modal">  </div> </body> </html> e) Solution : There are two main ways to prevent clickjacking: Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains Employing defensive code in the UI to ensure that the current frame is the most top level window Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). f) Impact: By using Clickjacking technique, an attacker hijack click's meant for one page and route them to another page, most likely for another application, domain, or both. With Kind regards , Vaishnavi Pardeshi

4 years, 10 months

1
0
0 0

BUG REPORT

by Security Researcher

Dear Team , I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your website . Report of bug is as Follows . a) VULNERABILITY TYPE- DMARC RECORD MISSING. b) HOW TO REPRODUCE(POC-ATTACHED IMAGE):- 1.GO TO- https://mxtoolbox.com 2.put this "sparta.eu " and CLICK GO. 3.YOU WILL SEE THE FAULT(No DMARC Record found) 4.In the new page that loads shows No Dmarc record found c) Impact Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain. If spammers use your domain to send spam or junk email, your domain quality is negatively affected. People who get the forged emails can mark them as spam or junk, which can impact authentic messages sent from your domain. d) Solution : Enable DMARC record Kind regards , Vaishnavi Pardeshi

4 years, 10 months

1
0
0 0

Re: [security] [SPARTA - project.consortium] Concerning the security issues disclosed on 12 March 2019

by Nicolas Diaz

Dear SPARTA partners, It could relevant to implement the following method called security.txt in order to provide a channel for reporting vulnerabilities in a coordinated way, especially for IT security researchers who are not part of SPARTA. For instance we have set-up security.txt on our website > https://www.yeswehack.com/.well-known/security.txt You will find documentation concerning this method by visiting the official website > https://securitytxt.org/ Best regards, nicolas diaz On 13/03/2019 11:20, ANTIGNAC Thibaud wrote: > > Dear SPARTA partners, > > > > We now consider that issues #1 and #2 mentioned below have also been > fixed. > > Do not hesitate to contact security(a)sparta.eu > <mailto:security@sparta.eu> for matters related to these issues or, > more generally, to report any security-related issue. > > > > Best regards, > > -- > > Thibaud Antignac > > CEA List > > > > > > *From: *ANTIGNAC Thibaud <thibaud.antignac(a)cea.fr> > *Date: *Tuesday 12 March 2019 at 16:36 > *To: *"project.consortium(a)internal.sparta.eu" > <project.consortium(a)internal.sparta.eu> > *Cc: *<bodies.security-advisory-board(a)internal.sparta.eu>, > "bodies.coordination(a)internal.sparta.eu" > <bodies.coordination(a)internal.sparta.eu> > *Subject: *Concerning the security issues disclosed on 12 March 2019 > > > > Dear SPARTA partners, > > > > Thank you to Matthias for having pointed out these three security issues: > > * #1 – reported on 2019 02 18, disclosed on 2019 03 12 – HTTP page > with form for MLs > * #2 – reported on 2019 02 18, disclosed on 2019 03 12 – Certificate > for https://server.sparta.eu > * #3 – reported on 2019 03 12, disclosed on 2019 03 12 – Public > access to MLs archives > > > > #3, the most critical one, has been fixed almost immediately. #1 and > #2 have been addressed and tests are being made to ensure they can > also be considered as fixed. > > > > The Project Security Officer of SPARTA (Florent Kirchner, CEA) > scheduled a Security Advisory Board meeting to discuss about this > incident and improve the procedures and technical measures. Meetings > with TNK (in charge of the IT infrastructure) and UBON (having > reported the issues) are also being scheduled to get more information > about the circumstances. A more complete description of the incident > will be sent once the whole situation is better understood. > > > > The Security Advisory Board, composed of the Project Security Officer, > the Program leaders, the Ethics Committee chair, and the Dissemination > Committee chair can be contacted > at bodies.security-advisory-board(a)internal.sparta.eu > <mailto:bodies.security-advisory-board@internal.sparta.eu> (and security(a)sparta.eu > <mailto:security@sparta.eu> for external parties). > > > > Do not hesitate to contact the Security Advisory Board or the > coordination at bodies.coordination(a)internal.sparta.eu > <mailto:bodies.coordination@internal.sparta.eu> for matters and > questions related to this incident. Please be sure we are fully > committed on its complete resolution. > > > > Best regards, > > -- > > Thibaud Antignac > > CEA List > > -- *YES WE HACK* Twitter : @YesWeHack <https://twitter.com/yeswehack> https://yeswehack.com Twitter perso : @nicoladiaz <https://twitter.com/nicoladiaz> PGP :: B8E5 208A FB90 3460 __________________________

6 years, 7 months

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

Security