website takeover using clickjacking

[Vinaysati]

DESCRIPTION/EXPLANATION:

Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking a user's click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in the attacker's own website and overlays it with objects such as buttons using CSS skills. This tricks users to perform unintended actions on vulnerable websites, thinking they are doing those on the attacker's website. Clickjacking, also known as a "UI redress attack".

Severity
MEDIUM
Classification
CWE-1021 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

IMPACT:

Users are tricked into performing all sorts of unintended actions such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.

STEPS TO REPRODUCE:

1. Copy and paste the below HTML code.

<title>Clickjacking PoC</title> <iframe src="https://bitcoin.org/en/" width=100% height=100% style=”opacity: 0.5;”></iframe> 2. Edit the src attribute of the iframe tag. Change its url to your target site and save the file. 3. Launch the file in the browser. 4. Observe that the website is getting embedded in an Iframe.

MITIGATION:
In order to fix the issue, we must know the underlying reason that is causing the issue. Clickjacking is caused due to allowing permission to a third party website to embed the vulnerable site using Iframe. Disallowing this can be done by setting HTTP headers that direct the browser to not allow the target website to be iframed. This can be done by configuring the server on the following two response headers: X-Frame-Options Content-Security-Policy. Implement any one of the below based on your business requirements:

1. Content-Security-Policy: frame-ancestors ‘none’ : Set this if you want to disallow every domain from embedding your site in an Iframe.

2. Content-Security-Policy: frame-ancestors ‘self’ : Set this if you want to disallow every domain from embedding your site in an Iframe and allow only your domain (i.e. the site itself) to embed itself in Iframe.

3. Content-Security-Policy: frame-ancestors uri : Set this if you want to allow a specific url to embed your site in an Iframe and disallow all the others

POC / Exploit Video
https://mega.nz/folder/gC9Vyb4L#-3TX_o4J5C6KjvGMdFjmlQ

[achow101]

This repo is for bitcoincore.org, not bitcoin.org.

bitcoincore.org is a static website, there is nothing to clickjack.

If an attacker can direct a user to a malicious site where they can be clickjacked to click a malicious link, the attacker can also just setup a clone of bitcoincore.org on that malicious site and fill it with malicious links without needing to do any clickjacking. The website is static, and it's full source code is right here.

[achow101]

Please describe actual impacts of your supposed vulnerability by using and demonstrating it on bitcoincore.org. Do not make vague statements about what clickjacking (or any other "vulnerability" you decide to report from your scanner) can do, describe actual effects on this specific website. Otherwise, this is just spam and noise and you've contributed nothing of use. Continue to do so and you will be blocked.

bitcoincore.org is not a web application. There are no accounts, no forms for users to submit, nothing. It's a static site with a bunch of links. If clickjacking allows an attacker to trick users to click on links/buttons that do something unexpected but still on the bitcoincore.org domain, then all they've done is redirect the user to some other static page.

[achow101]

Which part of "please describe actual impacts" did you not understand?

I don't care about what your scanner says. Describe what an attacker can actually do.

[achow101]

It's clear you have no idea what you're actually doing and are just spamming automated scanner reports.