Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Report: Iframe Exploitation Attacker can perform any action within the iframe #16

Open
Liannajohn opened this issue Feb 5, 2023 · 0 comments
Open

Vulnerability Report: Iframe Exploitation Attacker can perform any action within the iframe #16

Liannajohn opened this issue Feb 5, 2023 · 0 comments

Comments

@Liannajohn
Copy link

Hi team, 
This time I founded this vulnerability in your website: https://nycoin.net/
Severity: Medium
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header, which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.
This vulnerability affects the Web Server.
Here are the steps to reproduce the vulnerability:
1.open the notepad and paste the following code.

<title>i Frame</title>

This is clickjacking vulnerable

</iframe> 2.save it as .html eg s.html 3.and open that... As far as I know, this data is enough to prove that your site is vulnerable to Clickjackingaccording to OWASP, it's more than enough. https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)  SOLUTION:  https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Check this out, and here is the solution for that. Impact:Clickjacking is one of the security flaws which could be harmful in multiple scenarios such as, an attacker can impose a blind XSS payload, and it won't be visible; whenever any victim will click on anywhere of your web-page, the blind XSS is going to be executed and steal the victim cookies. Moreover, attackers make the victim download any malicious file, allowing the attacker to remotely control the victim's PC and transfer any data or perform any unethical activity from the victim's PC without even his knowledge.  These are quite enough scenarios to understand the importance of this vulnerability. I hope that you will fix this issue as soon as possible. I look forward to hearing from you.  Thank you
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Liannajohn