26 Aug
2021
26 Aug
'21
1 p.m.
Dear Thibaud,
Patrick is on vacation this week, but I forwarded the e-mail to our IT and they are
looking into it. Thanks for pointing it out.
Best regards,
Lisa
Von: ANTIGNAC Thibaud <Thibaud.ANTIGNAC(a)cea.fr>
Gesendet: Dienstag, 24. August 2021 17:15
An: SPARTA Coordination Team <sparta(a)technikon.com>
Cc: security(a)sparta.eu; LEMESLE Augustin <augustin.lemesle(a)cea.fr>
Betreff: Re: [security] Vulnerability Disclosure
Hello Patrick,
I hope you are going well.
Could you please have a look at the email received below?
Best regards,
--
Thibaud Antignac
CEA List
From: security
<security-bounces@server.sparta.eu<mailto:security-bounces@server.sparta.eu>>
on behalf of Siddharth Researcher
<guardedresearcher@gmail.com<mailto:guardedresearcher@gmail.com>>
Date: Monday 23 August 2021 at 15:55
To: "security@sparta.eu<mailto:security@sparta.eu>"
<security@sparta.eu<mailto:security@sparta.eu>>
Subject: [security] Vulnerability Disclosure
Hello Team,
I am Siddharth Zala working as a security researcher and I found a bug in your site report
of bug is as follows :
a) Vulnerability name: Clickjacking On Sensitive Page
b) Vulnerability Description :
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a
malicious technique of tricking a Web user into clicking on something different from what
the user perceives they are clicking on, thus potentially revealing confidential
information or taking control of their computer while clicking on seemingly innocuous web
pages.
The server didn't return an X-Frame-Options header which means that this website could
be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used
to indicate whether or not a browser should be allowed to render a page in a <frame>
or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that
their content is not embedded into other sites.
This vulnerability affects the Web Server.
c) Steps to reproduce :
1. Copy the URL of the website and paste it in clickjacking code
2. This is sample code
Create a new HTML file
put <iframe src="https://sparta.eu/" id="frame1"
width="100%"
height="100%" >
3. Open the Html file with another browser and click on click here and see it is
redirected to bing.com<http://bing.com/>m/>.
d) POC :
I have attached Screenshot as well as code of clickjacking :
<html>
<head>
<title>Clickjack test page</title>
</head>
<style>
#myBtn{
z-index: 999;
position: absolute;
top: 100px;
right: 50px;
color: white;
background-color: red;
}
</style>
<body>
<!-- <h1> A Sample Test Page </h1>
<p>Websites are vulnerable to clickjacking! </p>
<p>Avoid random clicks </p> -->
<div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%;
height:70%">
<iframe src=" https://sparta.eu/" id="frame1"
width="100%"
height="100%" >
</iframe></div>
<div align="right" style="position:absolute; top:1; left:0; z-index:1;
width: 70%;height:60%; text-align:left;">
<a
href="https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC0…
target="_blank"><button id="myBtn"> click
here</button></a>
<div id="myModal" class="modal">
<!-- Modal content -->
</div>
</body>
</html>
e) Solution :
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not
allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top-level
window
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on
all web pages returned by your site (if you expect the page to be framed only by pages on
your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN,
otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM
allows specific websites to frame the web page in supported web browsers).
f) Impact:
By using the Clickjacking technique, an attacker hijacks click's meant for one page
and routes them to another page, most likely for another application, domain, or both.
Warm Regards
Siddharth Zala
Security Researcher