Tingg

Objectives:-
The application can be successfully embedded within an iframe hosted on an external page. This indicates that clickjacking protection headers such as X-Frame-Options or Content-Security-Policy (frame-ancestors) are not implemented. An attacker could exploit this weakness to perform UI redressing attacks and trick users into executing unintended actions.

Steps:-
1. Create a local HTML file with the following content:

<!DOCTYPE html>
<html>
<body>
<h2>Clickjacking Test</h2>
<iframe src="https://myaccount.tinggit.com/" width="800" height="600"></iframe>
</body>
</html>

2. Open the HTML file in any browser (Chrome/Edge/Firefox).

3. Observe that the application login page loads inside the iframe.

Expected Result:-
The application should not load inside an iframe. The browser should block the content due to the presence of clickjacking protection headers (X-Frame-Options or CSP frame-ancestors).

Preventing session cookies from being included when the page is loaded in a frame using the SameSite cookie attribute.

Implementing JavaScript code in the page to attempt to prevent it being loaded in a frame (known as a "framebuster").

Actual Result:-
The application loads successfully inside a crafted iframe, confirming the absence of clickjacking protection.

Please find the below link for reference:-
https://thehigherpitch-my.sharepoint.com/:i:/p/rashmita_rout/IQB-1jEi90mqSYgKse5Q5CKdAQyVVskFKs_pGk8X_F8bPNU?e=hBXO0B