Welcome back, amazing readers! Today, I want to share with you an important topic: how I discovered a clickjacking bug using simple HTML script. During my recon phase, I initially conducted various tests such as Open redirect, XSS and BAC but unfortunately, I couldn’t find anything interesting.
However, while reviewing the headers, I noticed that the X-Frame-Options header was missing. This missing header made the website vulnerable to clickjacking, also known as UI Redressing. Clickjacking is a dangerous technique used to deceive users into clicking on something other than what they think they’re clicking on. This can potentially lead to the disclosure of private information or allow attackers to take control of their computers, all while interacting with seemingly harmless objects like websites.
For the purpose of POC, I used this simple script:
<html> <head> <title>Clickjack test page</title> </head> <body> <iframe src="https://example.com" width="500" height="500"></iframe> <!-- Change the src attribute to the target URL --> </body> </html>
To mitigate clickjacking attacks, it is crucial to enable the X-Frame-Options header and implement Content Security Policy (CSP) headers. These measures help protect against UI Redressing attacks.
If you’re interested in learning more about cybersecurity, Stay tuned for upcoming articles where we’ll explore various cybersecurity topics. Thank you for joining me today!