W
Wasp10mo ago
Ricardo Batista

Threat of clickjacking

Being a total noob into website security, I received the following email: 
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. This is a client-side security issue that affects a variety of browsers and platforms.

Steps to reproduce:

1. Create a new HTML file
2. Put the following code inside the file
<html>
<head>
<title>ClickJacking PoC</title>
</head>
ClickJacking PoC
<iframe src=" https://meeting-reminders.com/login " height="450" width="1000"></iframe>
</body>
</html>
3. Save the file
4. Open the document in the browser

Impact:

The victim surfs the attacker’s web page intending to interact with the visible user interface but is inadvertently performing actions on the hidden page. Using the hidden page, an attacker can deceive users into performing actions they never intended to perform through the positioning of the hidden elements in the web page.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. This is a client-side security issue that affects a variety of browsers and platforms.

Steps to reproduce:

1. Create a new HTML file
2. Put the following code inside the file
<html>
<head>
<title>ClickJacking PoC</title>
</head>
ClickJacking PoC
<iframe src=" https://meeting-reminders.com/login " height="450" width="1000"></iframe>
</body>
</html>
3. Save the file
4. Open the document in the browser

Impact:

The victim surfs the attacker’s web page intending to interact with the visible user interface but is inadvertently performing actions on the hidden page. Using the hidden page, an attacker can deceive users into performing actions they never intended to perform through the positioning of the hidden elements in the web page.
Is the login page vulnerable to this?
12 Replies
kapa.ai
kapa.ai10mo ago
Hi @Ricardo Batista. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Based on the knowledge sources provided, there is no specific information about the implementation of the X-Frame-Options HTTP response header in Wasp or its vulnerability to clickjacking attacks. However, one of the knowledge sources mentions the consideration of using the 'helmet' npm package in the node server, which sets some reasonable default HTTPS response headers. The 'helmet' package includes a middleware function to set the X-Frame-Options header, which can help protect your application against clickjacking attacks. For a more definitive answer, I would recommend checking the Wasp documentation or reaching out to the Wasp community for further assistance. Source (https://github.com/wasp-lang/wasp/issues/22) ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Ricardo Batista, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
miho
miho10mo ago
We'll have to investigate this in details, and we'll write a proper answer here. But, trying out the code they sent, results in Google denying to load. Also, trying to load the /account page in the iframe doesn't work since the localStorage is not shared and thus the session info is not shared. It doesn't seem like a plausible attack vector to me - so no worries - but I'll read more on the issue of clickjacking next week.
No description
Ricardo Batista
Ricardo BatistaOP10mo ago
thanks a bunch @miho
mb23
mb233mo ago
@miho I've got a similar email. Have you been able to look into it? 🙂
miho
miho3mo ago
I have to admit I haven't gone deeper with the investigation, but the what I shared in my initial response still stands:
It doesn't seem like a plausible attack vector to me
I'll add this to my TODO so I don't forget about it after I come back from my holidays in one week.
mb23
mb233mo ago
@miho Thanks a bunch, happy holidays!
Filip
Filip2mo ago
@Ricardo Batista @mb23 Hey guys, I was just wondering, who's sending you these emails? 😄
Ricardo Batista
Ricardo BatistaOP2mo ago
ihan.hackaboo@gm*il.com
Filip
Filip3w ago
Sounds like a marketing campaign or something. I'm not sure these criticisms are even valid. @miho Have you maybe already looked into it?
miho
miho3w ago
Testing the code leads me to dismissing this as a real threat (video shows Google refusing to load). It looks like someone is just spamming website owners to maybe extract some money from them?
Filip
Filip3w ago
It looks like someone is just spamming website owners to maybe extract some money from them?
Yeah, that was my guess as well. Pray and spray, you'll get it right for some people (like sending out betting tips).
Fecony
Fecony3w ago
hmmm https://www.urbandictionary.com/define.php?term=Hackaboo
Urban Dictionary
Urban Dictionary: Hackaboo
People that tries to be a hacker, but have no skill in computer science (incl. programming) Consists of Hacker + Weeaboo

Did you find this page helpful?