Jump to content
pete2007

Clickjacking Vulnerability?

Recommended Posts

V2.3.4

Hello,

I've just received an email to say that there is a clickjacking vulnerability for the account_password.php page.

Is this something I should be worried about and if so what action can I take?

Thank you in advance.

Share this post


Link to post
Share on other sites

Hi Burt, thank you for your reply, here is the email:

 

Quote
Hello,
SiR / Madam,
Security Support Team
My Name Is ______  From India. I Am Security Researcher's.
I Am Found  Clickjacking Vulnerability ,
Your website deals with security issues.
 
What is Click Jacking Vulnerability ?

1.Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

2.The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
 
Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking.
 

This vulnerability affects Web Server.
The Vulnerable Domain Is :-
www.mysite.com/account_password.php

 
Step to Reproduce :-
1 :- I have given Expolit as follows.
2 :- Copy it to a Notepad copy and Past it Save as .html file
3 :- And double-click that file and open a new tab on the browser
 
Expolit :-
 
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p><font size="5" color="#bf0000"> Website is vulnerable to clickjacking! 500x500</font></p>
<iframe src="https://www.mysite.com/account_password.php" width="500"
height="500"></iframe>
</body>
</html>
 
Impact:
By using Clickjacking technique, an attacker hijack's click's
meant for one page and route them to another page, most likely
for another application, domain, or both.
 
*# Everything is shown in the POC in a quick way   ...
 

Best Regards,

 

Share this post


Link to post
Share on other sites
29 minutes ago, René H4 said:

Interesting! Wouldn't it be wise to add this into the core? Or strongly recommended after installation?

The code that clickjacking uses is also used for legitimate reasons by some sites, like showing youtube videos. So making it core would not be a good idea. There is an option to allow certain domains through but some have reported a response slow-down using it. 

Also, this vulnerability has been around for many years, at least 10. It can only be used if a site has been hacked since the hackers code has to be on the server. So the likelihood of it happening to a properly set up shop is probably negligible. But if you don't need to use iframes in your shop and think the protection is warranted, the blocking code can be added.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×