Proxy protection NOT used,I can bypass X-Frame-Options
ashesh1708 at gmail.com
ashesh1708 at gmail.com
Tue Jun 16 03:54:26 EDT 2015
<html>
<body>
<h3>Proxy protection NOT used , i can bypass
X-Frame-Options </h3><pre>I see that you don't
have a reverse proxy protection this allows all
users to proxy your website rather than iframe it.
They use use it for
+ Phishing
+ Tricking First-time Coinabase uses that (fake
website) is original website
+ Debug pidgin.im (see all request an response
make on fake website)
**Exploit**
1. I will create a fake website which closely
matches your domain or any other confusing domain.
2. I will post on many forums that "pidgin.im is
best" etc. with my fake website link (better to
use URl shortner!)
3. He will visit here and signup
4. As I have made that proxy, I can see all
request made on them thus , Passwords Also!
5. I will hack him.
>NOTE: When he clicks on confirmation link in his
email , He is redirected to ORIGNAL website but I
will get his password and username and I would
login with the username and password i have , on
original website.
How Facebook Handles it (Amazing Protection):
http://i.gyazo.com/1ca03e64dac455f24d0ac1c4a59218e4.png
(
https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=facebook.com
)
How your webiste handles it :( ->
https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=pidgin.im
AN attacker can remove the Translate interface to
make the webiste look real, contact me if you want
a demo of that.
**POC**
I have attached a complete video with POC.
POC URL:
https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=pidgin.im
`try submitting real login data (of test account)
You'll get logged in!`
**FIX**
Here is the code that I use for stopping 100% of
these types of sites:
RewriteEngine on
RewriteCond %{HTTP:VIA} !^$
[OR]
RewriteCond %{HTTP:FORWARDED} !^$
[OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$
[OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$
[OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$
[OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$
[OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$
[OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]
To use this code, copy & paste into your siteâs
root `.htaccess` file. Upload to your server, and
test its effectiveness ! It is perfect and
compared to blacklisting a million sites of this
kind, itâs lightweight, concise, and very
effective.</pre><br/>DATE: 16/06/2015<br/>HOUR:
07:54:26 am<br/>IP:
127.6.47.129<br/><br/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150616/806f7f4a/attachment.html>
More information about the security
mailing list