UI REDRESSING in unilogies/bumsys
Feb 25th 2023
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with
Steps To Reproduce
1. Create a New HTML file as shown in below i.e Test.html 2. Put `<iframe src="http://demo.bumsys.org/" width="1000" height="1000"></iframe>` 3. Save the File 4. Open the File(Test.html) in Browser(i.e Firefox )
File : Test.html
<html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Clickjacking Attack</title> </head> <body> <p>This Page is Vulnerable to Clickjacking</p> <iframe src="http://demo.bumsys.org/" width="1000" height="1000"></iframe> </body> </html>
Proof of Concept
It's important to implement the X-Frame-Options header, using a content security policy (CSP), and enabling browser features like Framebusting.
Attackers can use clickjacking to redirect users to a fake login page that looks exactly like the real one. They can then steal users' login credentials, leading to unauthorized access to their accounts.
We are processing your report and will contact the unilogies/bumsys team within 24 hours. 25 days ago
Khurshid Alam validated this vulnerability 23 days ago
ctflearner has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in v2.0.2 with commit 8c5b27 18 days ago
This vulnerability will not receive a CVE
commented 18 days ago
@khurshid Alam can you assign CVE for this
commented 17 days ago
@admin, Please assign a CVE. Thank you.
commented 10 days ago
CVE assigned as requested:)
to join this conversation