[Bah-tagonius] [Bah-general] CLICK JACKING

Secure Web secureweb23 en gmail.com
Lun Feb 1 15:03:30 CET 2021

Waiting for your reply

On Wed, Jan 27, 2021, 5:07 PM Secure Web <secureweb23 en gmail.com> wrote:

> [image: clickjack.png]
> Hello Team
> Hope that you're doing all good and healthy.I would like to draw your
> attention to some of the vulnerabilities in your site which i would like to
> report.
> Kindly provide me the email of relevant team or person and let me know if
> there is any bug bounty program or reward regarding this disclosure of
> vulnerabilties as this work requires both cost and time.
> Thank you
> In the index (home page): https://website.com/login
> Clickjacking, also known as a "UI redress attack", is when an attacker
> uses multiple transparent or opaque layers to trick a user into clicking on
> a button or link on another page when they were intending to click on the
> the top level page. Thus, the attacker is "hijacking" clicks meant for
> their page and routing them to another page, most likely owned by another
> application, domain, or both.
> Using a similar technique, keystrokes can also be hijacked. With a
> carefully crafted combination of style sheets, i frames, and text boxes, a
> user can be led to believe they are typing in the password to their email
> or bank account, but are instead typing into an invisible frame controlled
> by the attacker.
> PoC:
> <html>
> <head>
> <title>test nbxsites </title>
> </head>
> <body>
> <p> https://website.com/login is vulnerable to clickjacking!</p>
> <iframe src="https://website.com/login" width="500" height="500"></iframe>
> </body>
> </html>
> Tricking a user into unknowingly;
> No.1: An attacker can gain access to the credentials of users and use
> those credentials for booking and payment.
> No.2: adding events to their profile they are interested in attending.
> No. 3: editing their star rating on reviews;
> No.1: bookmarking unwanted business
> Screenshot
> Best Regards.
> Found More bugs on your website reply me so that i may disclose them
> further.
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://lists.ourproject.org/pipermail/bah-tagonius/attachments/20210201/07e6e00d/attachment-0001.html>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: clickjack.png
Type: image/png
Size: 26008 bytes
Desc: no disponible
URL: <https://lists.ourproject.org/pipermail/bah-tagonius/attachments/20210201/07e6e00d/attachment-0001.png>
------------ próxima parte ------------
Bah-general mailing list
Bah-general en lists.ourproject.org

Más información sobre la lista de distribución Bah-tagonius