Legal Robot: Clickjacking in Legalrobot app

2017-09-22T07:04:48
ID H1:270454
Type hackerone
Reporter 9itrsec
Modified 2017-11-10T11:36:03

Description

Dear Team,

POC

Please find attached screenshots

Steps to reproduce:

create index.html file with following content: <iframe sandbox="allow-scripts allow-forms" src="https://app.legalrobot-uat.com/pending-verification" width="1000" height="600"></iframe>

Open index.html in browser

Actual result: Legalrobot email verification page is viewed in iframe.

Remediation:

Frame busting technique is the better framing protection technique. Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow raming from other domains.

Same issue found in https://app.legalrobot.com/pending-verification as well.