Jump to content
Sign in to follow this  
Followers 0
kingsleymensah

Vulnerability report (click jacking)

By kingsleymensah, in General Discussion

Recommended Posts

kingsleymensah    6

kingsleymensah
Posted

Hi guys, i received an email from someone claiming to be a pentester and he says he found a vulnerability in  my WHMCS

Here is what he sent:

"I am a security researcher and I found this vulnerability in your website
https://kingscel.com/  
Bug type : UI Redress
Impact :  Phishing (account compromise)

Description :
Click jacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

POC:

<html>
<head>UI REDRESSING</head>
<body>
<h1>WEBSITE IS VULNERABLE TO UI REDRESSING</h1>
<iframe width=100% height=80% src="https://mydomain/whmcs/clientarea.php"></iframe>
</body>
<html>

Impact:
Any User can be lured in to click on whats look like a functionality of the website but is actually an attackers frame button containing some malicious javascript code or redirection code leading the user to a vulnerable site . And as the vulnerability persists even after the user is logged in which makes it even more sever.

Suggested Fix:
Add an iframe destroyer in the page headers.

Please let me know if any more info needed !
Waiting for your reply and hopefully a  bug bounty for responsibly reporting the issue ...

Note:  
i am attaching a screenshot as proof of concept waiting for your response."

 

Note: he just took a screenshot of my client area login page

 

Should i be concerned?

0

Share this post

Link to post
Share on other sites

bear    213

bear
Posted

He's looking for reward. I've seen these sent to forums, plain HTML sites, Wordpress and more, though "iframe breaking" is a new angle. 
Ignore, and block the sender, he won't quit asking for money.

1

Share this post

Link to post
Share on other sites

kingsleymensah    6

kingsleymensah
Posted
Just now, bear said:

He's looking for reward. I've seen these sent to forums, plain HTML sites, Wordpress and more, though "iframe breaking" is a new angle. 
Ignore, and block the sender, he won't quit asking for money.

ahhh..... thanks man. On it now!

0

Share this post

Link to post
Share on other sites

sol2010    9

sol2010
Posted

While there is no need to panic, you could also look into preventing this - it is a phenomenon known as clickjacking.

WHMCS has some info on it here: https://docs.whmcs.com/Further_Security_Steps#Defending_Against_Clickjacking

You can read up on Content-Security-Policy: frame-ancestors 'self' on the useful page: https://developers.google.com/web/fundamentals/security/csp

 

 

 

0

Share this post

Link to post
Share on other sites

Vander Host    1

Vander Host
Posted (edited)

Just got approached by a similar security researcher. I've examined the three references in this post, namely:

https://docs.whmcs.com/Further_Security_Steps#Defending_Against_Clickjacking
https://owasp.org/www-community/attacks/Clickjacking
https://documentation.cpanel.net/display/EA4/Advanced+Apache+Configuration

Any more clues what exact directive needs to be added?

As it happens we use WHM and Virtualmin and I'm pretty familiar with NGinx conf files, and Apache and so on, but all three references fail to actually tell you what to do.

Edited by Vander Host
0

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Sign in to follow this  
Followers 0
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept