Dear Team,

I am Vitesh Walunj working as a security researcher and I found a bug in your site report of bug is as follows :

a) Vulnerability name : clickjacking

b) Vulnerability Description :

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
This vulnerability affects Web Server.

c) Steps to reproduce :

1. Copy URL of website and paste it in clickjacking code

2. This is sample code

Create a new HTML file

put <iframe src="https://sparta.eu/" id="frame1"  width="100%"

height="100%" >    

3. Open html file with another browser and click on click here and see it is redirected to bing.com .



d) POC :

I have attached image as well as code of clickjacking :

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <style>
    #myBtn{
     
        z-index: 999;
    position: absolute;
    top: 100px;
    right: 50px;
    color: white;
    background-color: red;
    }
    </style>
 
 
 
   <body>
   <!-- <h1> A Sample Test Page </h1>
     <p>https://sparta.eu/</p>
   
     <p>Avoid random clicks </p> -->
<div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="https://sparta.eu/"  width="100%"

height="100%" >
 
</iframe></div>
<div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;">
<a href="https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B" target="_blank"><button id="myBtn"> click here</button></a>


<div id="myModal" class="modal">

  <!-- Modal content -->
 

</div>
</body>
</html>

e) Solution :


There are two main ways to prevent clickjacking:

Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

f) Impact:

By using Clickjacking technique, an attacker hijacks click's meant for one page and routes them to another page, most likely for another application, domain, or both.  
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

g) References:

https://hackerone.com/reports/405342
https://hackerone.com/reports/8724

h)POC: Attached Below html file.

With Kind regards ,

Vitesh Walunj