Hi, Please note that posting such reports to public mailing lists is discouraged.
Please follow the guidelines outlined at https://www.apache.org/security/ for reporting to the proper lists/channels. Dominik. On Sat, Jan 6, 2024 at 11:26 AM Elias Finn < elias.ethics.researc...@gmail.com> wrote: > Hello Team, > > As an Ethical Hacker I found some Vulnerabilities in your site one of them > is as follows. > > > *Issue : CLICKJACKINGa* > > > Clickjacking, also known as a "UI redress attack", is when an attackaer > uses > multiple transparent or opaque layers to trick a user into clicking on a > button or link on another page when they were intending to click on the > top level page. Thus, the attacker is "hijacking" clicks meant for their > page and routing them to another page, most likely owned by another > application, domain, or both. > Using a similar technique, keystrokes can also be hijacked. With a > carefully crafted combination of stylesheets, iframes, and text boxes, a > user can be led to believe they are typing in the password to their email > or bank account, but are instead typing into an invisible frame controlled > by the attacker. > > > > *PoC:*<html> > <body> > <iframe height="500" width="500" src="/ <https://www.alansasphalt.com/> > https://poi.apache.org/ " ></iframe> > > </body> > </html> > > > *IMPACTS:* > By using Clickjacking technique, an attacker hijacks clicks meant for one > page and routes them to another page, most likely for another application, > domain, or both. > > > *Remediation:* > Frame busting technique is the better framing protection > technique. Sending the proper X-Frame-Options HTTP response headers > that instruct the browser to not allow framing from other > domains > > > *For Fix:* > it is missing a X-FRAME header. a user with the help of some tricky css > can trick the user to click on the one > click actions. . You should apply a X-FRAME header > > *References:* > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options > https://www.owasp.org/index.php/Clickjacking > > https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md > > > > > *Note:* I’m hoping to receive a bounty reward for my current finding. I > will be looking forward to hearing from you on this and will be reporting > other vulnerabilities accordingly. > > > Kind Regards > > *Elias Finn* > > *Snapshot:* > [image: image.png] >
