Clickjacking

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

Vulnerability Name: Clickjacking on [Domain name]

Vulnerability Description: Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

[Don't forget to add your vulnerability description, the one given above is general description]

Steps to Reproduce: [Create your own Steps to Reproduce according to the workflow of website]

Proof-of-concept: Snapshots or video link attached.

POC Code:

<!DOCTYPE html>
<html>
<head>
<title>This website is vulnerable to clickjacking</title>
</head>
<body>
<iframe style="height: 500px; width: 500px;" src="https://Vulnerable website name"></iframe>
‚Äč
</body>
</html>

Impact: An attacker could embed your website in an iframe and by tricking the UI, the user himself could unintentionally perform dangerous actions. You may think that kind of attack is not so dangerous but combined with other vulnerabilities, it could be deadly.

Attack Scenario: [Create your own attack scenario according to the workflow of website]

Remediation: Server-side protection against clickjacking is provided by defining and communicating constraints over the use of components such as iframes.

  1. Implementing X-Frame-Options response headers.

  2. Implementing Content Security Policy.