Unimplemented or Unsupported Feature in UI in spiral-project/ihatemoneyValid
Jul 18th 2021
💥 STEP TO REPRODUCE
I see there is no X-Frame-Options header present in response . So, it allow to load dashboard url in iframe which make clickjacking attack . Iframe will be completely hidden with opacity control so that victim dont suspect .
bellow code can be used as attack
<iframe src="https://ihatemoney.org/xxxx/" height="600px" width="800px" style="opacity:0.4">
As this iframe is completely hidden , victim can suspect what happening in background and make clickjacking attack