bir hintli böyle mail göndermiş dikkate almalı mıyım
Hello Team,
I have found a bug in your website site.com
The details of it are as follows:-
Summary:
X-Frame-Options ALLOW-FROM site.com/login not supported by several Browser,
Steps To Reproduce:
- Create a new HTML file
- Put <iframe src="site.com/login frameborder="0"></iframe>
- Save the file
- Open document in browser
Impact:
Attacker may tricked user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated
Solution:
The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP (Content-Security-Policy) header.
PoC:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
<title>X-Frame-Bypass Web Component Demo</title>
<style>
html, body {
margin: 0;
padding: 0;
height: 100%;
overflow: hidden;
}
iframe {
display: block;
width: calc(70% - 40px);
height: calc(80% - 40px);
margin: 20px;
}
img {
position: absolute;
top: 0;
right: 0;
}
</style>
<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
<script src="x-frame-bypass.js" type="module"></script>
</head>
<body>
<h1>x-frame-bypass in your site</h1>
<iframe is="x-frame-bypass" src="site.com/login "></iframe>
</body>
</html>
FIX:
Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors. You should implement a CSP header to avoid these sorts of attacks. Please let me know if you want more information. I hope that you appreciate my ethical disclosure of this vulnerability, expecting a reward as a token of appreciation for this..
Thank you!
Waiting for your reply.
Regards,
