✍️ Description

It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The file https://github.com/kestasjk/webDiplomacy/blob/07de41f21192b0b611af343bc0d880c1de78d194/header.php does not set the response header X-Frame-Options: DENY. This issue can be found from the root path to other paths under this one.

🕵️‍♂️ Proof of Concept

Create a html file with the following content:

// frame.html
<html>
<head></head>
<body><iframe src="https://webdiplomacy.net/logon.php" height="1080" width="1920"></iframe></body>
</html>

Then, access the file with a browser. The page is framed.

💥 Impact

According to PortSwigger references, it might be possible for a page controlled by an attacker to load webDiplomacy website within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.