Improper Restriction of Rendered UI Layers or Frames in kcal-app/kcal
Sep 25th 2021
# Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. # Proof of Concept <html> <head> <title>Clickjack test page</title> </head> <body> <iframe src="http://demo.kcal.cooking/login" width="500" height="500"></iframe> </body> </html> save the script as clickjacking .html and page will render in iframes https://i.ibb.co/zb7q1bH/3.png # Impact it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker configure X-FRAME-OPTIONS as same origin by default.