Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



   1446

Clickjacking Vulnerability

by TopGunMav - 02 May, 2021 - 07:31 PM
This post is by a banned member (TopGunMav) - Unhide
TopGunMav  
Heaven
1.165
Posts
560
Threads
5 Years of service
#1
OP 02 May, 2021 - 07:31 PM
Steps To Reproduce:
  1. Create a new HTML file
  2. Put https://pastebin.com/9XZVfjKR
  3. Save the file
  4. Open document in browser
Impact
An attacker may trick user, sending them a malicious link 

Solution
The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP (Content-Security-Policy) header.

@J_S
 
 
+REP APPRECIATES MY WORK
BEWARE OF IMPERSONATORS.
  ALWAYS CONFIRM ON C.TO BEFORE ANY DEAL.
This post is by a banned member (J_S) - Unhide
J_S  
Premium Member
1.846
Posts
399
Threads
5 Years of service
#2
03 May, 2021 - 03:43 PM
Adding "frame-ancestors 'self';"  header just breaks the page.
For sale - signature spots | Top spot - 65$ | mid - 45$ | bottom - 30$

[Image: tz1gY15.gif]
Top ad by @80s [exp 07/01/25]



[Image: Streaming-Hub-Signature-design.gif]
mid ad by @Brox [exp 09/01/25]

[Image: Qgu0ZJX.gif]
bottom ad by @Rose [exp 11/01/25]

This post is by a banned member (TopGunMav) - Unhide
TopGunMav  
Heaven
1.165
Posts
560
Threads
5 Years of service
#3
OP 04 May, 2021 - 03:17 PM
(03 May, 2021 - 03:43 PM)J_S Wrote: Show More
Adding "frame-ancestors 'self';"  header just breaks the page.

I Dont know what is the reason behind it but you can check this below website 

https://cheatsheetseries.owasp.org/cheat...Sheet.html
 
 
+REP APPRECIATES MY WORK
BEWARE OF IMPERSONATORS.
  ALWAYS CONFIRM ON C.TO BEFORE ANY DEAL.
This post is by a banned member (Blepop) - Unhide
Blepop  
Galactic
4.054
Posts
2.151
Threads
5 Years of service
#4
04 May, 2021 - 04:26 PM
(02 May, 2021 - 07:31 PM)GuntherMagnuson Wrote: Show More
Steps To Reproduce:
  1. Create a new HTML file
  2. Put https://pastebin.com/9XZVfjKR
  3. Save the file
  4. Open document in browser
Impact
An attacker may trick user, sending them a malicious link 

Solution
The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP (Content-Security-Policy) header.

@J_S

+
X-Frame options in the header needs to be added to prevent this
1. put it on DENY to disallow c.to being iframed on any other domain
2. but use sameorigin to allow c.to to be iframed within same domain , i mean inside of c.to domain it can be iframe (cuz only adding DENY from option1 will restrict it being iframed anywhere including c.to own domain)
so both of those headers to be used
[Image: S6IAC.gif]
Ad by firewizard 
This post is by a banned member (TopGunMav) - Unhide
TopGunMav  
Heaven
1.165
Posts
560
Threads
5 Years of service
#5
OP 04 May, 2021 - 04:55 PM
(03 May, 2021 - 03:43 PM)J_S Wrote: Show More
Adding "frame-ancestors 'self';"  header just breaks the page.

it means maybe you are using content from some external source and after adding *frame-ancestors 'self';* .. the content is prohibited from being displayed within the page due to CSP.

X-FRAME-OPTIONS: SAMEORIGIN

Or

X-FRAME-OPTIONS: DENY

May work
 
 
+REP APPRECIATES MY WORK
BEWARE OF IMPERSONATORS.
  ALWAYS CONFIRM ON C.TO BEFORE ANY DEAL.
This post is by a banned member (NotaNumber) - Unhide

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
 or
Sign in
Already have an account? Sign in here.



Forum Jump:


Users browsing this thread: 1 Guest(s)

About Cracked.io

Cracked.io is a community forum that suits basically everyone. We provide cracking tutorials, tools, leaks, marketplace and much more stuff! You can also learn many things here, meet new friends and have a lot of fun!
If you would like to contact us, you can send our staff team a message.

Navigation

Extras

Help

Account