ClickJacking – X-Frame-Options header missing

Description

Clickjacking is an attack vector that could cause users to click on a web page element that is not visible or disguised as another element.
This attack can cause users to download malware, visit malicious web pages, provide credentials or sensitive information, purchase products online, etc.

Bussines Impact

An attacker can use multiple transparent or layers to trick a user into clicking on a button or link on another page when they were intending to click on the top layer page. Routing them to another page, most likely owned by another application, domain, or both.

Recommendation

To fix the issue apply:
Framebusting or framebreaking X-Frame-Options
Content-Security-Policy with frame-ancestors

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

SQLI to RCE

How to preform SQLI TO RCE? One of the most interesting and important things about any site is the database. So, it’s important to protect

Read More »

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »