Legal Robot: Clickjacking in Legalrobot app

ID H1:270454
Type hackerone
Reporter 9itrsec
Modified 2017-11-10T11:36:03


Dear Team,


Please find attached screenshots

Steps to reproduce:

create index.html file with following content: <iframe sandbox="allow-scripts allow-forms" src="" width="1000" height="600"></iframe>

Open index.html in browser

Actual result: Legalrobot email verification page is viewed in iframe.


Frame busting technique is the better framing protection technique. Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow raming from other domains.

Same issue found in as well.