Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] **Big Title:Clickjacking (User Interface redress attack, UI redress attack, UI redressing) on sensitive action.** #21

Open
Zer0Leet opened this issue Jan 30, 2022 · 2 comments
Open

[BUG] **Big Title:Clickjacking (User Interface redress attack, UI redress attack, UI redressing) on sensitive action.** #21

Zer0Leet opened this issue Jan 30, 2022 · 2 comments
Assignees
@sydneyitguy
Labels
bug Something isn't working

Comments

@Zer0Leet
Copy link

Describe the bug
Big Title:Clickjacking (User Interface redress attack, UI redress attack, UI redressing) on sensitive action.

A clear and concise description of what the bug is.
Hello Security,
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
This vulnerability affects Web Server.

To Reproduce

Proof of concept:
1.Open URL: https://neverlose.money/
2.put the url in the below code of iframe

<title>i Frame</title>

This is clickjacking vulnerable

<iframe src="https://neverlose.money/" frameborder="2 px" height="500px" width="80%"></iframe>

3.Observe that site is getting displayed in Iframe

Expected behavior

A clear and concise description of what you expected to happen.
IMPACT:
An attacker can host this domain in other evil site by using iframe and if a user fill the given filed it can directly redirect as logs to attacker and after its redirect to your web server.. its lead to steal user information too and use that host site as phishing of your site its CSRF and Clickjacking.By using Clickjacking technique, an attacker hijack's click's meant for one page and route them to another page, most likely for another application, domain, or both.

Screenshots
00

Remediation:
Frame busting technique is the better framing protection
technique.
Sending the proper X-Frame-Options HTTP response headers
that instruct the browser to not allow framing from other
domains

Add any other context about the problem here.

Bounty information

  1. Reporter's email address: [email protected]
  2. What crypto currency do you want to receive the bounty?: (BTC )
  3. Wallet address to receive the bounty: 1NSyPFzjPh7fKJp2KztxJ5drrNLYfwewsn
@Zer0Leet Zer0Leet added the bug Something isn't working label Jan 30, 2022
@Zer0Leet
Copy link
Author

Zer0Leet commented Feb 2, 2022

Any update on this?

@Zer0Leet Zer0Leet changed the title [BUG] **Enter title here** [BUG] **Big Title:Clickjacking (User Interface redress attack, UI redress attack, UI redressing) on sensitive action.** Feb 2, 2022
@Zer0Leet
Copy link
Author

Zer0Leet commented Feb 4, 2022

Any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sydneyitguy sydneyitguy

Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sydneyitguy @Zer0Leet