Mavenlink: Clickjacking

2014-07-22T22:05:46
ID H1:21110
Type hackerone
Reporter eronx
Modified 2014-08-21T17:13:49

Description

Hi,

You have no implementation of Clickjacking attacks on your mobile version. I have set up a user agent switcher and tried to support my claim with regards to the mobile website.

For proof of concept: <iframe src="https://m.mavenlink.com/#/workspaces/new"></iframe>

For mitigation, you may want to add the HTTP header XFRAMEOPTIONS and set it to DENY.

Attached below is a screenshot. Thanks!