Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability type Click Jacking #1456

Open
raza234 opened this issue Nov 25, 2021 · 4 comments
Open

Vulnerability type Click Jacking #1456

raza234 opened this issue Nov 25, 2021 · 4 comments

Comments

@raza234
Copy link

raza234 commented Nov 25, 2021

Hi team,

This time i founded this vulnerability in your website:
https://nuxtjs.org/
nuxt clickjacking

Click jacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a click jacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or <iframe>. Sites can use this to avoid click jacking attacks, by ensuring that their content is not embedded into other sites.

This vulnerability affects Web Server.

Here are the steps to reproduce the vulnerability:

1.open notepad and paste the following code.

<title>i Frame</title>

This is clickjacking vulnerable

<iframe src=" https://nuxtjs.org/ " frameborder="2 px" height="500px" width="500px"></iframe>

2.save it as .html eg s.html

3.and just simply open that...

OR
Copy the link below and paste on your updated browser (Chrome,Firefox).
https://clickjacker.io/test?url=https://nuxtjs.org/
As far as i know this data is enough to prove that your site is vulnerable to Click jacking
according to OWASP its more than enough.

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)

SOLUTION:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Check this out and here is the solution for that.

I Hope that you will fix this issue as soon as possible. Looking forward to hear from you. Thank you

Sincerely,
Hassan Raza

@stale
Copy link

stale bot commented Apr 17, 2022

Thanks for your contribution to Nuxt!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:

  1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
  2. Comment the steps to reproduce it

Issues that are labeled as pending will not be automatically marked as stale.

@raza234
Copy link
Author

raza234 commented Apr 17, 2022

Yes I still can reproduce this issue after you update you version.

Here are the steps to reproduce the vulnerability:

1.open notepad and paste the following code.

<title>i Frame</title> This is clickjacking vulnerable <iframe src=" https://nuxtjs.org/ " frameborder="2 px" height="500px" width="500px"></iframe> 2.save it as .html eg s.html

3.and just simply open that...

OR
Copy the link below and paste on your updated browser (Chrome,Firefox).
https://clickjacker.io/test?url=https://nuxtjs.org/

@manniL
Copy link
Member

manniL commented Dec 24, 2023

This still applies to nuxt.com. Mitigating this potential issue would mean that the docs can't be used inside an iframe anymore.

@manniL manniL transferred this issue from nuxt/nuxt Dec 24, 2023
Copy link
Member

atinux commented Dec 27, 2023

As long as it's SSG, we cannot do much about it as we don't control the headers (as far as I know).

Anyway, we don't use cookie for our websites so should be fine, and if they are, we are using the SameSite lax policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants