-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
website takeover using clickjacking #1004
Comments
This repo is for bitcoincore.org, not bitcoin.org. bitcoincore.org is a static website, there is nothing to clickjack. If an attacker can direct a user to a malicious site where they can be clickjacked to click a malicious link, the attacker can also just setup a clone of bitcoincore.org on that malicious site and fill it with malicious links without needing to do any clickjacking. The website is static, and it's full source code is right here. |
This comment was marked as spam.
This comment was marked as spam.
Please describe actual impacts of your supposed vulnerability by using and demonstrating it on bitcoincore.org. Do not make vague statements about what clickjacking (or any other "vulnerability" you decide to report from your scanner) can do, describe actual effects on this specific website. Otherwise, this is just spam and noise and you've contributed nothing of use. Continue to do so and you will be blocked. bitcoincore.org is not a web application. There are no accounts, no forms for users to submit, nothing. It's a static site with a bunch of links. If clickjacking allows an attacker to trick users to click on links/buttons that do something unexpected but still on the bitcoincore.org domain, then all they've done is redirect the user to some other static page. |
This comment was marked as spam.
This comment was marked as spam.
Which part of "please describe actual impacts" did you not understand? I don't care about what your scanner says. Describe what an attacker can actually do. |
This comment was marked as spam.
This comment was marked as spam.
It's clear you have no idea what you're actually doing and are just spamming automated scanner reports. |
DESCRIPTION/EXPLANATION:
Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking a user's click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in the attacker's own website and overlays it with objects such as buttons using CSS skills. This tricks users to perform unintended actions on vulnerable websites, thinking they are doing those on the attacker's website. Clickjacking, also known as a "UI redress attack".
Severity
MEDIUM
Classification
CWE-1021 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
IMPACT:
Users are tricked into performing all sorts of unintended actions such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
STEPS TO REPRODUCE:
MITIGATION:
In order to fix the issue, we must know the underlying reason that is causing the issue. Clickjacking is caused due to allowing permission to a third party website to embed the vulnerable site using Iframe. Disallowing this can be done by setting HTTP headers that direct the browser to not allow the target website to be iframed. This can be done by configuring the server on the following two response headers: X-Frame-Options Content-Security-Policy. Implement any one of the below based on your business requirements:
Content-Security-Policy: frame-ancestors ‘none’ : Set this if you want to disallow every domain from embedding your site in an Iframe.
Content-Security-Policy: frame-ancestors ‘self’ : Set this if you want to disallow every domain from embedding your site in an Iframe and allow only your domain (i.e. the site itself) to embed itself in Iframe.
Content-Security-Policy: frame-ancestors uri : Set this if you want to allow a specific url to embed your site in an Iframe and disallow all the others
POC / Exploit Video
https://mega.nz/folder/gC9Vyb4L#-3TX_o4J5C6KjvGMdFjmlQ
The text was updated successfully, but these errors were encountered: