Skip to content

Vulnerability Report: Iframe Exploitation Attacker can perform any action within the iframe #2

New issue
New issue
Open
Open
Vulnerability Report: Iframe Exploitation Attacker can perform any action within the iframe#2
@Liannajohn

Description

@Liannajohn
Liannajohn
opened on Feb 17, 2023

Hi team,

This time I founded this vulnerability in your website: https://www.phoenixdao.io/

Severity: Medium

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header, which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

This vulnerability affects the Web Server.

Here are the steps to reproduce the vulnerability:

1.open the notepad and paste the following code.

<title>i Frame</title>

This is clickjacking vulnerable

<iframe src="https://www.phoenixdao.io/" frameborder="2 px" height="500px" width="500px"></iframe>

2.save it as .html eg s.html

3.and open that...

As far as I know, this data is enough to prove that your site is vulnerable to Clickjacking
according to OWASP, it's more than enough.

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)

SOLUTION:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Check this out, and here is the solution for that.

Impact:
Clickjacking is one of the security flaws which could be harmful in multiple scenarios such as, an attacker can impose a blind XSS payload, and it won't be visible; whenever any victim will click on anywhere of your web-page, the blind XSS is going to be executed and steal the victim cookies.

Moreover, attackers make the victim download any malicious file, allowing the attacker to remotely control the victim's PC and transfer any data or perform any unethical activity from the victim's PC without even his knowledge.

These are quite enough scenarios to understand the importance of this vulnerability.

I hope that you will fix this issue as soon as possible.

I look forward to hearing from you.
Thank you

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions