Description

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with

Steps To Reproduce

1. Create a New HTML file as shown in below i.e Test.html
2. Put `<iframe src="http://demo.bumsys.org/" width="1000" height="1000"></iframe>`
3. Save the File
4. Open the File(Test.html) in Browser(i.e Firefox )

File : Test.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Clickjacking Attack</title>
</head>
<body>
    <p>This Page is Vulnerable to Clickjacking</p>
<iframe src="http://demo.bumsys.org/" width="1000" height="1000"></iframe>
</body>
</html>

Proof of Concept

https://drive.google.com/file/d/12iuOMyGVS9qz5j3638PAVdYvhCipTfbi/view?usp=sharing 

COUNTERMEASURE

It's important to implement the X-Frame-Options header, using a content security policy (CSP), and enabling browser features like Framebusting.

Impact

Attackers can use clickjacking to redirect users to a fake login page that looks exactly like the real one. They can then steal users' login credentials, leading to unauthorized access to their accounts.