Bypass X-Frame-Options ( Proxy protection NOT used )

Ayer instalé Security Optimizer by SiteGround

Y hoy —no sé si es casualidad o no— recibo el correo de un tal Arslan Kabeer yaseenplay321@gmail.com

¿Qué debo hacer? A pesar de tener todo actualizado y al día últimamente tengo problemas de seguridad recurrentes.

Hi there,

Team I have found a vulnerability in your site.

bypass X-Frame-Options ( Proxy protection NOT used )

Proxy protection NOT used , i can bypass X-Frame-Options header and recreate clickjacking on the whole domain.

I see that you don't have a reverse proxy protection that allows attackers to proxy your website rather than iframe it.

POC :

<!DOCTYPE html>

<html>

<head>

<title>X-Frame-Bypass Web Component Demo</title>

<style>

html, body {

margin: 0;

padding: 0;

height: 100%;

overflow: hidden;

}

iframe {

display: block;

width: calc(100% - 40px);

height: calc(100% - 40px);

margin: 20px;

}

img {

position: absolute;

top: 0;

right: 0;

}

</style>

</head>

<body>

<h1> X-FRAME PROTECTION BYPASSED </h1>

</body>

</html>

FIX:

Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors

You should implement CSP header to avoid these sort of attacks

Please let me know if you want more information.

Hope that you appreciate my ethical disclosure of this vulnerability, hoping for the bounty.

Thank you!

Regards:

White HaT

Contenido solo visible a usuarios registrados

Citar

Respondido : 04/11/2024 8:10 am