3 years ago
3 years ago


(Reporter: Paresh, Unassigned)






3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Steps to reproduce:

Steps to reproduce: <-00 AFFECTED SITE
Save this Source code with .html extension

after saving run the html file.
now open the file. 

<div style="z-index:2; position:absolute;top:0; left:0;width: 80%; height:80%">
<iframe src="" id="frame1" style="opacity:0.4;filter:alpha(opacity=40); " width="100%" height="100%" onmouseover=";this.filters.alpha.opacity=50" onmouseout=";this.filters.alpha.opacity=0"/></iframe></div>
<div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 80%;height:80%; background-color: yellow;text-align:left;">
<strong>Clickjaking poc by paresh 
 </p> </strong><br/></div>

Actual results:

Actual results:


It might be possible for a web page controlled by an attacker to load the content of this response within an iframe on the attacker's page. This may enable a "clickjacking" attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.

Expected results:


You should review the application functions that are accessible from within the response, and determine whether they can be used by application users to perform any sensitive actions within the application. If so, then a framing attack targeting this response may result in unauthorized actions.  To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. 

For mitigation, you may want to add the HTTP header XFRAMEOPTIONS and set it to DENY

i already reported this issue here but theres no reply so im reporting here....

Thank YOU


3 years ago
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1130875

Comment 2

3 years ago
duplicate of  <---- its reported by me,
im little bit confuse about that... you market as duplicate....

Comment 3

3 years ago
You wrote above "i already reported this issue". So it's a duplicate. 
Please avoid filing duplicates.
You need to log in before you can comment on or make changes to this bug.