Click Jacking bypass X-Frame-Options

Resolved Reuhno
(@laboiteare)

2 years, 9 months ago

Hi there,

Yesterday I received an e-mail from a guy who pretends to be a white hat hacker. Here is the mail :

Team I have found a vulnerability in your site.
bypass X-Frame-Options ( Proxy protection NOT used )

Proxy protection NOT used , i can bypass X-Frame-Options header and recreate clickjacking on the whole domain.

I see that you don’t have a reverse proxy protection that allows attackers to proxy your website rather than iframe it.
POC:
<!DOCTYPE html>
<html>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<meta name=”description” content=”X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin”>
<title>X-Frame-Bypass Web Component Demo</title>
<style>
html, body {
margin: 0;
padding: 0;
height: 100%;
overflow: hidden;
}
iframe {
display: block;
width: calc(100% – 40px);
height: calc(100% – 40px);
margin: 20px;
}
img {
position: absolute;
top: 0;
right: 0;
}
</style>
<script src=”https://unpkg.com/@ungap/custom-elements-builtin“></script>
<script src=”x-frame-bypass.js” type=”module”></script>
</head>
<body>
<h1> X-FRAME PROTECTION BYPASSED </h1>
<iframe is=”x-frame-bypass” src=”https://www.mysite.com/”></iframe>
</body>
</html>

FIX:
Content-Security-Policy: frame-ancestors ‘self’ is better, because it checks all frame ancestors
You should implement CSP header to avoid these sort of attacks

What do you think about this suggestion ?

I will appreciate your opinion.

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author Andrea Ferro
(@unicorn03)

2 years, 9 months ago

Hi @laboiteare, thank you for using the plugin. I am Andrea I will help you with your request.

I will answer you in the afternoon after checking your topic with the best solution.

Plugin Author Andrea Ferro
(@unicorn03)

2 years, 8 months ago

Hi @laboiteare, here I am back to you 🙂 The vulnerability regarding the bypass of X-Frame-Options and potential clickjacking is a serious issue for website security. The proposal to implement a Content-Security-Policy (CSP) header with the ‘frame-ancestors’ option set to ‘self’ is an important step to mitigate these kinds of attacks, and I am happy to confirm that I have already been working on integrating this functionality into the plugin (so you can add your own custom CSP rules,s effortlessly and easily).

In creating your own CSP rules, I recommend some useful resources that I have personally tested and use:

Check CSP test website csper.io/evaluator
Check CSP Evaluator csp-evaluator.withgoogle.com
CSP Content Security Policy Generator addons.mozilla.org

These resources will help you evaluate and generate effective CSP policies for your own Web sites.

I continue to work on security and improving the plugin to provide the best possible experience.

If you have additional questions or need more details about your plugin’s security, please don’t hesitate to ask.

Thread Starter Reuhno
(@laboiteare)

2 years, 8 months ago

Hello and thank you for taking this question seriously.

I will look into generating custom rules, but can you tell me if, in the future, this rule could be implemented automatically in your extension?

(For my part, I have a lot of sites with your extension, and it would be a phenomenal time saver if it was done alone)

Thank you for everything

Plugin Author Andrea Ferro
(@unicorn03)

2 years, 8 months ago

Hi @laboiteare, thanks for your feedback! currently a feature is implemented to insert generated CSP rules.

In the next versions I am working on making this automatic, but before effecting this I am currently checking and testing several developments.

I hope you enjoyed the assistance and please feel free to write to me for further information or help.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Click Jacking bypass X-Frame-Options’ is closed to new replies.