Closed
Bug 1077987
Opened 11 years ago
Closed 11 years ago
clickjacking (missing X-frame-options header on /security/ pages)
Categories
(www.mozilla.org :: General, defect, P3)
www.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: eryash9, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: clickjacking)
Attachments
(1 file)
|
321.63 KB,
image/png
|
Details |
mozila clickjcking.png
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Steps to reproduce:
hai i am yash pandya , i have found clickjacking vulnurability(https://www.owasp.org/index.php/Clickjacking) in https://www.mozilla.org/security/bug-bounty.html
see below code for poc:
<html><head>
<title> Clickjacking testing </title>
<style>
frame {
opacity: 0.5;
border: none;
position: absolute;
top: 0px;
left: 0px;
z-index: 1000;
}
</style>
</head>
<body>
<script>
window.onbeforeunload = function()
{
return " Do you want to leave ?";
}
</script>
<p> site is vulnerable for clickjacking! by yash</p>
<iframe id="frame" width="100%" height="100%" src="https://www.mozilla.org/security/announce/"></iframe>
</body>
</html>
i have also attched screenshot for poc.
Actual results:
https://www.mozilla.org/security/announce/ website embed within iframe which should not happend any way,
Expected results:
site should not embed within iframe
Group: mozilla-services-security → websites-security, www-mozilla-org-confidential
Priority: -- → P3
Product: Mozilla Services → www.mozilla.org
Whiteboard: clickjacking
|
||
Comment 1•11 years ago
|
||
The majority of the www.mozilla.org site does use the X-Frame-Options header. There's not actually that much to clickjack on the site but there you are.
The /security/ pages are remnants of an older site grafted onto the current site. These are actually scheduled to transition to the main code framework for the site some time soon (see bug 1026184) and will probably pick up the XFO header by default, but with or without that header there is absolutely nothing on those pages to clickjack. Yes, you can frame it, but framing is a long-standing GOOD part of the web that lets people creatively combine content from different sources -- especially those that hearken back to the days when web pages were documents rather than whizzy applications with dangerous buttons.
Framing != clickjacking, and your proof of concept does not demonstrate any clickjacking risk on these pages.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty-
Resolution: --- → INVALID
Summary: clickjacking → clickjacking (missing X-frame-options header on /security/ pages)
|
|
||
Updated•11 years ago
|
Group: www-mozilla-org-confidential, websites-security
|
||
Updated•2 years ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•