Improper Restriction of Rendered UI Layers or Frames in kcal-app/kcal

Valid

Reported on

Sep 25th 2021


# Description
it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.

 # Proof of Concept

<html>
    <head>
        <title>Clickjack test page</title>
    </head>
    <body>
        <iframe src="http://demo.kcal.cooking/login" width="500" height="500"></iframe>
    </body>
</html>

save the script as clickjacking .html and page will render in iframes

https://i.ibb.co/zb7q1bH/3.png

# Impact
 it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

configure X-FRAME-OPTIONS  as same origin by default.
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Christopher Charbonneau Wells validated this vulnerability 2 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
@0xAmal
2 months ago

Researcher


Thanks sir

Christopher Charbonneau Wells confirmed that a fix has been merged on cf5167 2 months ago
Christopher Charbonneau Wells has been awarded the fix bounty