Mavenlink: Clickjacking

ID H1:21110
Type hackerone
Reporter eronx
Modified 2014-08-21T17:13:49



You have no implementation of Clickjacking attacks on your mobile version. I have set up a user agent switcher and tried to support my claim with regards to the mobile website.

For proof of concept: <iframe src=""></iframe>

For mitigation, you may want to add the HTTP header XFRAMEOPTIONS and set it to DENY.

Attached below is a screenshot. Thanks!