Vulnerability: Clickjacking Email - ahmedchauhan328@gmail.com

Hi team, this time i founded this vulnerability in your website Issue: Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or 2.save it as .html eg s.html 3.and just simply open that.. 4. Understanding the Remedial Action for Clickjacking Clickjacking can be prevented using a host of client side browser plugins such as • NoScript – http://noscript.net • Web Protection Suite – http://www.comitari.com/Web_Protection_Suite These plugins are recommended for daily browsing and can also protect users against additional client side attacks, such as XSS (Cross Site Scripting). The above plugins are client side prevention techniques that should be taught to all application users; however, steps must also be taken from the developer’s end. The following techniques can be used to aid in the prevention of clickjacking: 4.1. X-Frame-Options The simplest of all the techniques that only requires a simple configuration setting; for example, this can be done within Apache using the following line:

Header always append X-Frame-Options
DENY

4.2. FrameBusting JavaScript This method utilizes JavaScript to “bust” iframes. This is done by checking if the current web page is the top web page (not within a frame) and if the web page is currently not the top page, then it becomes the top page. The following example segment of code can be used to demonstrate this:

if (top.location.hostname !=
self.location.hostname){
top.location.href = self.location.href;
}

It should be noted that recent techniques have found to be able to bypass this clickjacking prevention technique as seen in the whitepaper by web application security researcher Collin Jackson – http://www.collinjackson.com/research/xssauditor.pdf. 4.3.Unique URL request Similar to a CSRF nonce, this can be employed so attackers cannot deliver the attack URL easily. 4.4. CAPTCHAs Similar to the way it prevents attackers from spamming a web form, this can be used as an additional layer of verification on each transaction. 4.5. Element Randomization Generally it is possible to clickjack due to buttons and links being in a static area of the web page, allowing attackers to place invisible frames over them. A technique to prevent this from occurring is to randomize the links or buttons on load, thus preventing attackers from hard coding static iframes. Proof of concept: image.png EXPLOIT: the impact is high. This vulnerability can be linked to a multitude of attacks including keylogging and stealing user credentials. An example of an attack on a application could consist of sending out emails to authenticated users of the application. This would require either some amount of inside knowledge to target specific users. Alternatively, mass emails could be sent out in the hope one user logged in to the application responds. The email would contain an “interesting” link which directs the victim to a landing page displaying an advert. On the landing page is a “skip this ad” link that has a transparent iframe located over it (placed by the attacker). When the victim then clicks on the link, they will interact with the attacker’s malicious code. Further examples of clickjacking attacks can be seen occurring in the past on social media sites where victims are enticed into clicking links which spam their contacts as reported by the BBC News – http://www.bbc.co.uk/news/10224434. The clickjacking attack: The “clickjacking” attack allows an evil page to click on a “victim site” on behalf of the visitor. Many sites were hacked this way, including Twitter, Facebook, Paypal and other sites. They are all fixed, of course. The idea: The idea is very simple. Here’s how clickjacking was done with Facebook: A visitor is lured to the evil page. It doesn’t matter how. The page has a harmless-looking link on it (like “get rich now” or “click here, very funny”). Over that link the evil page positions a transparent Click here! The above demo attack which i showed you in the above scenario this can done same on your website by making the exploit according to your website as your website is vulnerable to click jacking. Reference : https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004) SOLUTION: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Thanks [image: image.png] Regards, Ahmed