Issue 1 :Clickjacking


Description:
Clickjacking also known as ( UI redress attack ). By this vulnerability attackers can Hijack the site which is vulnerable by click jacking. when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Steps To Reproduce:
Create a new html file.
Put This code <iframe src="https://xxxx.com/" height="550px" width="700px"></iframe>
Now save the file and launch on the browser.

<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>I Frame</title>
</head>
<body>
<h3>clickjacking vulnerability</h3>
<iframe src="https:/xxxx.com/" height="550px" width="700px"></iframe>
</body>
</html>


IMPACT:
This bug is caused when a website does not implement X-FRAME-OPTION header and that is what cause of this.It means maybe you are using content from some external source and after adding *frame-ancestors 'self';*..the content is prohibited from being displayed within the the page due to CSP.It still affects the company , an attacker can leverage this bug and can cause harm to users of the website.
An attacker can host this domain in another evil site by using an iframe and if a user fills the given field it can directly redirect as logs to the attacker and after its redirect to your web server.. its lead to steal user information too and use that host site as phishing of your site its CSRF and Clickjacking

Remediation:

Solution:X-FRAME-OPTIONS: SAMEORIGINOr X-FRAME-OPTIONS: DENY
Frame busting technique is the better framing protection technique.
Sending the proper X-Frame-Options HTTP response headers
that instruct the browser to not allow framing from other



Bilgim olmadığı için açıklama yapabilecek sorunu çözebilecek arkadaş var mı ?