Improper Restriction of Rendered UI Layers or Frames in netdisco/netdisco


Reported on

Oct 3rd 2021

# Description
it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.

 # Proof of Concept

        <title>Clickjack test page</title>
        <iframe src="" width="500" height="500"></iframe>

save the script as clickjacking .html and page will render in iframes

below link shows PoC

# Impact
 it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

configure X-FRAME-OPTIONS  as same origin by default.
We have contacted a member of the netdisco team and are waiting to hear back a year ago
netdisco/netdisco maintainer validated this vulnerability a year ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
netdisco/netdisco maintainer
a year ago

Many thanks, we are now going to set these headers in the app:

netdisco/netdisco maintainer marked this as fixed with commit 381f41 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation