Avisos
Vaciar todo

Bypass X-Frame-Options ( Proxy protection NOT used )  

 
Mariana
 Mariana
Usuario activo

Ayer instalé Security Optimizer by SiteGround

Y hoy —no sé si es casualidad o no— recibo el correo de un tal Arslan Kabeer yaseenplay321@gmail.com

¿Qué debo hacer? A pesar de tener todo actualizado y al día últimamente tengo problemas de seguridad recurrentes. 

 

 

Hi there,

    Team I have found a vulnerability in your site.
 
    bypass X-Frame-Options ( Proxy protection NOT used )
 
    Proxy protection NOT used , i can bypass X-Frame-Options header and recreate clickjacking on the whole domain.
    I see that you don't have a reverse proxy protection that allows attackers to proxy your website rather than iframe it.
 
 
 
    POC :
 
 
        <!DOCTYPE html>
    <html>
    <head>
            <meta charset="UTF-8">
            <meta name="viewport" content="width=device-width, initial-scale=1.0">
            <meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
            <title>X-Frame-Bypass Web Component Demo</title>
            <style>
                    html, body {
                    margin: 0;
                    padding: 0;
                    height: 100%;
                            overflow: hidden;
                    }
                    iframe {
                            display: block;
                            width: calc(100% - 40px);
                            height: calc(100% - 40px);
                            margin: 20px;
                    }
                    img {
                            position: absolute;
                            top: 0;
                            right: 0;
                    }
            </style>
 
            <script src="x-frame-bypass.js" type="module"></script>
    </head>
    <body>
            <h1> X-FRAME PROTECTION BYPASSED </h1>
 
</body>
</html>
 
        FIX:
 
 
    Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors
    You should implement CSP header to avoid these sort of attacks
 
 
    Please let me know if you want more information.
 
    Hope that you appreciate my ethical disclosure of this vulnerability, hoping for the bounty.
    Thank you!
 
    Regards:
    White HaT 
 
marianaeguaras.com xframe protection bypass

 

Contenido solo visible a usuarios registrados

Citar
Respondido : 04/11/2024 8:10 am