[security] Vulnerability Disclosure

Hello Team, I am Siddharth Zala working as a security researcher and I found a bug in your site report of bug is as follows : a) Vulnerability name: Clickjacking On Sensitive Page b) Vulnerability Description : Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects the Web Server. c) Steps to reproduce : 1. Copy the URL of the website and paste it in clickjacking code 2. This is sample code Create a new HTML file put <iframe src="https://sparta.eu/" id="frame1" width="100%" height="100%" > 3. Open the Html file with another browser and click on click here and see it is redirected to bing.com. d) POC : I have attached Screenshot as well as code of clickjacking : <html> <head> <title>Clickjack test page</title> </head> <style> #myBtn{ z-index: 999; position: absolute; top: 100px; right: 50px; color: white; background-color: red; } </style> <body> <!-- <h1> A Sample Test Page </h1> <p>Websites are vulnerable to clickjacking! </p> <p>Avoid random clicks </p> --> <div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%"> <iframe src=" https://sparta.eu/" id="frame1" width="100%" height="100%" > </iframe></div> <div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;"> <a href=" https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B&qu… target="_blank"><button id="myBtn"> click here</button></a> <div id="myModal" class="modal"> <!-- Modal content --> </div> </body> </html> e) Solution : There are two main ways to prevent clickjacking: Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains Employing defensive code in the UI to ensure that the current frame is the most top-level window Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). f) Impact: By using the Clickjacking technique, an attacker hijacks click's meant for one page and routes them to another page, most likely for another application, domain, or both. Warm Regards Siddharth Zala Security Researcher