Search...

WakaTime: Clickjacking on authorized page https://wakatime.com/share/embed

2017-07-01T02:53:51

ID H1:244967
Type hackerone
Reporter silv3rpoision
Modified 2017-07-05T06:21:31

Description

Hii, https://wakatime.com/share/embed is vulnerabel to clickjaking. Description: I found the resource on https://wakatime.com/share/embed, which can be vulnerable to the Clickjacking.

Impact The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users (possible UI redressing in the Dashboard).As it is on a authenticated page so a attacker make many benefits of it and can click jack any user

Step-by-step Reproduction Instructions

Go to the https://wakatime.com/share/embed Look to the response headers. or Create .html file with next content: <iframe src="https://wakatime.com/share/embed"></iframe>

Suggested Mitigation/Remediation Actions Adding X-Frame-Options: DENY header will solve this problem.

Thnx plzz review it and fix as soon as possible.

Regards Piyush kumar

JSON Vulners Source

Initial Source

{"id": "H1:244967", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "WakaTime: Clickjacking on authorized page https://wakatime.com/share/embed", "description": "Hii,\nhttps://wakatime.com/share/embed is vulnerabel to clickjaking.\nDescription:\nI found the resource on https://wakatime.com/share/embed, which can be vulnerable to the Clickjacking.\n\nImpact\nThe resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users (possible UI redressing in the Dashboard).As it is on a authenticated page so a attacker make many benefits of it and can click jack any user\n\nStep-by-step Reproduction Instructions\n\nGo to the https://wakatime.com/share/embed\nLook to the response headers. or Create .html file with next content: <iframe src=\"https://wakatime.com/share/embed\"></iframe>\n\nSuggested Mitigation/Remediation Actions\nAdding X-Frame-Options: DENY header will solve this problem.\n\nThnx plzz review it and fix as soon as possible.\n\nRegards Piyush kumar", "published": "2017-07-01T02:53:51", "modified": "2017-07-05T06:21:31", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/244967", "reporter": "silv3rpoision", "references": [], "cvelist": [], "lastseen": "2018-10-03T04:17:18", "viewCount": 20, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2018-10-03T04:17:18", "rev": 2}, "dependencies": {"references": [], "modified": "2018-10-03T04:17:18", "rev": 2}, "vulnersScore": 0.9}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"handle": "wakatime", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/021/801/1c6ea4e2a9016e302a8fa034ca3c8cf62f48a9a5_medium.?1497459373", "small": "https://profile-photos.hackerone-user-content.com/000/021/801/2caa9152d96549f89882e75d40046966865ee3ae_small.?1497459373"}, "url": "https://hackerone.com/wakatime"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/178/089/ca6a32cbb78a6182e51931934680133ef5418077_small.jpg?1538527198"}, "url": "/silv3rpoision", "username": "silv3rpoision"}}