Found Clickjacking Vulnerability at Login Page

0
32
 
 

 
 I found Clickjacking Vulnerability at Login Page                                                                                                                     
Vulnerability Type : Clickjacking                                                                                                                                               
Two links are vulnerable to clickjacking …..Login page                                                                                                                                                                
https://auth.api.sonyentertainmentnetwork.com/login.jsp                            
https://www.oriss.ap.sony.com/Admin/Login.aspx
Vulnerability Description :
Typically there is one type of attack – cross site request forgeries (CSRF)
that can interact with functions on other websites.
Clickjacking (User Interface redress attack, UI redress attack, UI redressing)
is a malicious technique of tricking a Web user into clicking on something different 
from what the user perceives they are clicking on, thus potentially revealing confidential
information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn’t return an X-Frame-Options header which means that this website could be at
risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page in a  or                                
 
 
2.save it as .html eg sony.html
3.and just simply open that..             
          
As far as i know this data is enough to prove that your site is vulberable to Clickjacking..                                                  
according to OWASP its more than enough..
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)
Solution –>>                                                                                                                                                                                                                                                                                                                                                                                                               
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet                                       
check this out..here is the solution for that…                                                                                                                                                

Leave a reply