Improper Restriction of Rendered UI Layers or Frames in jonschoning/espial

Valid

Reported on

Sep 26th 2021


Description
It can be possible to perform a clickjacking attack due to the lack of frame restrictions.

PoC
https://i.ibb.co/QFTZD9j/clickjack.png

Impact
According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. 
This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause 
them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defences against Cross-site request forgery and may result in unauthorized actions.

Solution:  set the response header X-Frame-Options: DENY
We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 months ago
Jon Schoning validated this vulnerability 2 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning confirmed that a fix has been merged on a080c3 2 months ago
Jon Schoning has been awarded the fix bounty