Proxy protection NOT used,I can bypass X-Frame-Options

ashesh1708 at gmail.com ashesh1708 at gmail.com
Tue Jun 16 03:54:26 EDT 2015


<html>
<body>
    
    <h3>Proxy protection NOT used , i  can bypass
X-Frame-Options </h3><pre>I see that you don't
have a reverse proxy protection this allows all
users to proxy your website rather than iframe it.
They use use it for

+ Phishing
+ Tricking First-time Coinabase uses that (fake
website) is original website
+ Debug pidgin.im (see all request an response
make on fake website)

**Exploit**

1. I will create a fake website which closely
matches your domain or any other confusing domain.
2. I will post on many forums that "pidgin.im is
best" etc.  with my fake website link (better to
use URl shortner!)
3. He will visit here and signup
4. As I have made that proxy, I can see all
request made on them thus , Passwords Also!
5. I will hack him.

>NOTE: When he clicks on confirmation link in his
email , He is redirected to ORIGNAL website but I
will get his password and username and I would
login with the username and password i have , on
original website.


How Facebook Handles it (Amazing Protection):
http://i.gyazo.com/1ca03e64dac455f24d0ac1c4a59218e4.png
(
https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=facebook.com
)

How your webiste handles it :( ->
https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=pidgin.im

AN attacker can remove the Translate interface to
make the webiste look real, contact me if you want
a demo of that.
**POC**
I have attached a complete video with POC.

POC URL: 
https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=pidgin.im
 `try submitting real login data (of test account)
You'll get logged in!`


**FIX**

Here is the code that I use for stopping 100% of
these types of sites:


    RewriteEngine on
    RewriteCond %{HTTP:VIA}                 !^$
[OR]
    RewriteCond %{HTTP:FORWARDED}           !^$
[OR]
    RewriteCond %{HTTP:USERAGENT_VIA}       !^$
[OR]
    RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$
[OR]
    RewriteCond %{HTTP:PROXY_CONNECTION}    !^$
[OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$
[OR]
    RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$
[OR]
    RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
    RewriteRule ^(.*)$ - [F]


To use this code, copy & paste into your site’s
root `.htaccess` file. Upload to your server, and
test its effectiveness ! It is perfect and
compared to blacklisting a million sites of this
kind, it’s lightweight, concise, and very
effective.</pre><br/>DATE:    16/06/2015<br/>HOUR:
    07:54:26 am<br/>IP:      
127.6.47.129<br/><br/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150616/806f7f4a/attachment.html>


More information about the security mailing list