Clickjacking in the main domain

Cyber bounty cyberlord0x1 at
Sun Jan 20 17:02:37 EST 2019

 Hello Security Team


Domain: <>

Vulnerability: Clickjacking

Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into clicking
on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of
their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this
website could be at risk of a clickjacking attack. The X-Frame-Options HTTP
response header can be used to indicate whether or not a browser should be
allowed to render a page in a <frame> or <iframe>. Sites can use this to
avoid clickjacking attacks, by ensuring that their content is not embedded
into other sites.
This vulnerability affects Web Server.

POC: notepad and paste the folloing code

frame {
opacity: 0.5;
border: none;
position: absolute;
top: 0px;
left: 0px;
z-index: 1000;
window.onbeforeunload = function()
return " Do you want to leave ?";
<p> site is vulnerable for CSRF!</p>
<iframe id="frame" width="100%" height="100%" src=""></iframe>
</html> it as <anyname>.html eg s.html
3.and just simply open that..

reference :


By using Clickjacking technique, an attacker hijack's click's
meant for one page and route them to another page, most likely
for another application, domain, or both.
Frame busting technique is the better framing protection
Sending the proper X-Frame-Options HTTP response headers
that instruct the browser to not allow framing from other

Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list