Improper Restriction of Rendered UI Layers or Frames in francoisjacquet/rosariosis

Valid

Reported on

Aug 5th 2021


Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".

POC : Please visit the below website. https://clickjacker.io/test?url=https:%2F%2Fwww.rosariosis.org%2Fdemonstration%2Findex.php

Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.

François Jacquet validated this vulnerability a month ago
sudheendra17 has been awarded the disclosure bounty
The fix bounty is now up for grabs
François Jacquet confirmed that a fix has been merged on 9396aa a month ago
François Jacquet has been awarded the fix bounty
to join this conversation