To Email
Find Email

RE: Vulnerability Found: No Proxy Protection (CLICKJACKING)

From: whitehatrichard@inbox.eu
Domain: IP info inbox.eu
MX-server: IP info eu-shark2.inbox.eu
Size: 16055 Bytes
Create: 2020-09-02
Update: 2020-09-02
Score: 0
Safe: Yes

Outbound domains: translate.google.com | www.cybrsecgeeks.com | hackerone.com |

Hello,

 

Is there any update on this bug? I'm hoping to receive a bounty reward for responsible disclosure once your team has validated the issue.

 

I will be waiting for your response.  

Stay Safe and Healthy  

Warm Regards.

 

From: Richard Glen [mailto:whitehatrichard@inbox.eu]
Sent: Friday, August 14, 2020 11:20 AM
To: lisa.clifford@manybooks.net; thecolinparish@gmail.com; rasulr@gmx.fit; bw150@manybooks.net; daizybooks@manybooks.net; info@manybooks.net
Subject: Vulnerability Found: No Proxy Protection (CLICKJACKING)

 

Vulnerability Overview


Greetings,
I have found another vulnerability in your website @manybooks.net

Bug: No Proxy Protection
Impact: Account Compromise/ Clickjacking


Description:

How does it work? CORS Proxy takes advantage of Cross-Origin Resource Sharing, which is a feature that was added along with HTML 5. Servers can specify that they want browsers to allow other websites to request resources they host. CORS Proxy is simply an HTTP Proxy that adds a header to responses saying "anyone can request this" or in technical terms it adds the Access-Control-Allow-Origin with the (*) value.

And as it can specify headers so it can also strip away headers. Which is why it can strip away the X-Frame-Options value whether it be set to DENY, or SameOrigin.
And so the CSP policy and cross-origin policy can also be bypassed.


ScreenShot Proof:





Proof Of Concept With complete Exploit Code :

Please refer to the .docx file attached for the complete exploit code  having the ability to send user data from the framed website to the attackers server and Fix . (Except for complete overlapped CSS as in the exploit video POC with this email used to pop up user data.)

Impacts:

  • The site can also be opened in an iframe after the user has logged it making it hard for the user to avoid phishing.
  • A user can be tricked into entering his credentials in what he may think are the placeholder for the original website details. And thus his credentials would be sent to the attacker as shown in POC.
  • User's account can be compromised using above POC.
  • Attacker can get full access to the account.


Remediation’s;

You must enable proxy protection for your website.
A possible fix which facebook.com has enabled can also be enabled
How Facebook Handles it (Amazing Protection): https://translate.google.com/translate?hl=en&sl=auto&tl=zu&u=https://facebook.com
Another possible fix deployed on https://www.cybrsecgeeks.com:  here
Fix deployed on cybrsecgeeks.com is also present in the word file



Note: Let me know if a video POC is needed for this. I'm hoping to receive a bounty reward for responsible disclosure and will be reporting other issues accordingly.

Reference:
 

·         https://hackerone.com/reports/85624

·         https://hackerone.com/reports/7264

 

Best Regards
Faisal Mehmood
 

Feedback