Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Header Misconfiguration: Missing X-Frame-Options Leads to Clickjacking Attack #66

Open
termireum opened this issue Jul 4, 2024 · 0 comments
Open

[Bug]: Header Misconfiguration: Missing X-Frame-Options Leads to Clickjacking Attack #66

termireum opened this issue Jul 4, 2024 · 0 comments
Labels
Bug Something isn't working Campaign: Archethic

Comments

@termireum
Copy link

Description

Issue: The X-Frame-Options header is missing on this page, making it potentially vulnerable to clickjacking attacks.

Description: Clickjacking is a type of attack that tricks a user into clicking on something different from what the user perceives, effectively hijacking clicks meant for the legitimate webpage and routing them to an attacker’s page. This can result in unauthorized actions or disclosure of sensitive information.

Steps to Reproduce:

  1. Create a new HTML file (e.g., clickjacking_test.html).
  2. Copy and paste the following code.
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Clickjacking Test</title>
    <style>
        iframe {
            position: absolute;
            top: 0;
            left: 0;
            width: 100%;
            height: 100%;
            opacity: 0.5;
            z-index: 999;
        }
        button {
            position: absolute;
            top: 50%;
            left: 50%;
            transform: translate(-50%, -50%);
            z-index: 1000;
            padding: 20px;
            font-size: 20px;
            cursor: pointer;
        }
    </style>
</head>
<body>
    <button onclick="alert('Button Clicked!')">Click Me</button>
    <iframe src="https://bridge.archethic.net/bridge" frameborder="0"></iframe>
</body>
</html>
  1. Save the file and open it in a web browser, Crome or Firefox.
  2. Observe that the https://bridge.archethic.net/bridge dashboard page is loaded within an iframe, and any interaction with the button will demonstrate the potential for clickjacking.

Logs / Images

Affected URLs:
https://bridge.archethic.net/bridge
https://bridge.archethic.net/localHistory
https://bridge.archethic.net/refund
https://www.archethic.net/wallet
https://dex.archethic.net/swap
https://dex.archethic.net/poolList
https://dex.archethic.net/farmList
https://aeweb.archethic.net/

Platform

No response

Version of Archethic apps

No response

Fix

To prevent clickjacking attacks, it is recommended to add the X-Frame-Options header to your HTTP response. This header can be set to DENY or SAMEORIGIN to prevent your pages from being framed by other websites.

Example:
X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

Reference:
MetaMask Clickjacking Vulnerability Analysis
@termireum termireum added Bug Something isn't working Campaign: Archethic labels Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Campaign: Archethic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@termireum