Clickjacking Vulnerability Present Across the Entire Application
Sumanta Nayak
Summary:
The entire application is vulnerable to Clickjacking attacks due to the absence of proper security headers such as X-Frame-Options or Content-Security-Policy (CSP) with frame-ancestors directives. This allows an attacker to embed application pages within an iframe on a malicious site and trick users into performing unintended actions. The issue is critical given the application's focus on UI/UX design, where user interface manipulation can have significant impact.
Vulnerable Area:
All pages and endpoints of the application.
Vulnerability Description:
The application fails to implement anti-clickjacking mechanisms, enabling an attacker to load application pages inside an iframe on a third-party domain. By using transparent overlays or deceptive UI elements, attackers can trick users into clicking on hidden buttons or links, potentially leading to unauthorized actions such as account modification, sensitive data exposure, or financial transactions.
Steps to Reproduce:
- Create a simple HTML page on an attacker-controlled domain.
- Embed the target application using the following iframe code:
<iframe src="https://target-application.com" width="100%" height="100%"></iframe>
demo Poc HTML code
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>I Frame</title>
</head>
<body>
<h3>clickjacking vulnerability</h3>
<iframe src="https://sensay.io/" height="550px" width="700px"></iframe>
</body>
</html>   
- Host the HTML file and open it in a browser.
- Observe that the target application loads successfully within the iframe, confirming the absence of clickjacking protection.
Impact:
Attackers can trick users into performing actions on the legitimate application while believing they are interacting with another site. This can result in unauthorized transactions, settings changes, or data disclosure. The vulnerability undermines user trust and the integrity of the application's user interface, which is especially concerning for a platform emphasizing UI/UX quality.
Severity: High
CWE ID:
CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CVSS v3.1 Vector:
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N  
Base Score: 7.3 (High)
CVSS Metric Explanation:
Attack Vector (AV): Network - The attack can be executed remotely over the internet.  
Attack Complexity (AC): Low - No special conditions or configurations are required.  
Privileges Required (PR): None - The attacker does not need authentication.  
User Interaction (UI): Required - The attack requires the user to visit a malicious webpage.  
Scope (S): Unchanged - The impact is limited to the same security domain.  
Confidentiality (C): Low - Some sensitive data may be indirectly exposed.  
Integrity (I): High - Attackers can induce victims to perform unauthorized actions.  
Availability (A): None - The attack does not affect system availability.
Recommendation:
- Implement the HTTP response header "X-Frame-Options: DENY" or "SAMEORIGIN" to prevent the application from being framed by external domains.
- Use the Content-Security-Policy header with the directive "frame-ancestors 'none';" to enhance protection.
- Regularly test application pages to ensure headers are properly applied across all responses.
- Educate the development and design teams about clickjacking risks, especially given the application's UI/UX focus.
