Bug #53
Updated by rashmita rout about 1 month ago
*Objectives:-*
The application can be successfully embedded within an iframe hosted on an external page. This indicates that clickjacking protection headers such as X-Frame-Options or Content-Security-Policy (frame-ancestors) are not implemented. An attacker could exploit this weakness to perform UI redressing attacks and trick users into executing unintended actions.
*Steps:-*
1. Create a local HTML file with the following content:
<!DOCTYPE html>
<html>
<body>
<h2>Clickjacking Test</h2>
<iframe src="https://myaccount.tinggit.com/" width="800" height="600"></iframe>
</body>
</html>
2. Open the HTML file in any browser (Chrome/Edge/Firefox).
3. Observe that the application login page loads inside the iframe.
*Expected Result:-*
The application should not load inside an iframe. The browser should block the content due to the presence of clickjacking protection headers (X-Frame-Options or CSP frame-ancestors).
Preventing session cookies from being included when the page is loaded in a frame using the SameSite cookie attribute.
Implementing JavaScript code in the page to attempt to prevent it being loaded in a frame (known as a "framebuster").
*Actual Result:-*
The application loads successfully inside a crafted iframe, confirming the absence of clickjacking protection.
Please find the below link for reference:-
https://thehigherpitch-my.sharepoint.com/:i:/p/rashmita_rout/IQB-1jEi90mqSYgKse5Q5CKdAQyVVskFKs_pGk8X_F8bPNU?e=hBXO0B