Vulnerable URL: https://wordpressfoundation.org/donate/
Clickjacking on the vulnerable URL allows an attacker to redirect a victim to do a donation at an attacker’s page.
<!DOCTYPE HTML>
<html lang=“en-US”>
<head>
<meta charset=“UTF-8”>
<meta http-equiv=“refresh” content=“5”>
<title>i Frame</title>
</head>
<body>
<center><h1>THIS PAGE IS VULNERABLE TO CLICKJACKING</h1>
<iframe src=“https://wordpressfoundation.org/donate/” frameborder=“0 px” height=“1200px” width=“1920px”></iframe>
</center>
</body>
</html>
*Sorry for the bad UI and please remove my payment-request id after the vulnerability check from donation.html page.
To control where your site can be embedded, use the frame-ancestors directive:
Content-Security-Policy: frame-ancestors ‘none’ (The page cannot be displayed in a frame, regardless of the site attempting to do so.)
Content-Security-Policy: frame-ancestors ‘self’ (The page can only be displayed in a frame on the same origin as the page itself.)
Content-Security-Policy: frame-ancestors uri (The page can only be displayed in a frame on the specified origins.)
If an attacker is successful in tricking the victim to a click jacked page. He can trick the victim to donate money to the attacker’s account. An attacker may also craft a page to gather victim’s information, He may use also use BEEF hook id to take control of victim’s browser.