UI Redressing in kareadita/kavita


Reported on

Aug 9th 2022


Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".

Proof of Concept

1. Go to this URL: https://clickjacker.io/test?url=https:%2F%2Fdemo.kavitareader.com%2Flogin
2. Observe that the website is getting embeded in an Iframe.
3. Observe that the headers x-frame-options and content-security-policy frame ancestors are missing.


Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a month ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a month ago
Joseph Milazzo validated this vulnerability a month ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joseph Milazzo
a month ago

Fixed locally, planned for next stable.

We have sent a fix follow up to the kareadita/kavita team. We will try again in 7 days. a month ago
Joseph Milazzo confirmed that a fix has been merged on ae891c a month ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation