Welcome back amazing another important topic on how I found out clickjacking bug. Initially after doing the recon phase did some SQL injection, XSS, XXE, and SSRF but I couldn’t find anything interesting.

After I looked for any headers missed or not and I came to know X-Frame-Options missed out.

Then it is vulnerable to Click-Jacking(UI Redressing).

a dangerous technique for deceiving a user into clicking on something other from what they think they’re clicking on, potentially revealing private information or allowing others to take control of their computer while clicking on seemingly harmless objects, such as web sites.

For POC purposes I used the site clickjacker.io website. This website provides a detailed report for Click-Jacking(UI Redressing).

Paste any URL and check if it is vulnerable to click-jacking.

Or use a manual approach to find this bug.

<html>

<head>

<title>Clickjacking Testing</title>

</head>

<body bgcolor=”black”>

<font color=”white” size=”30">

<p>This Website is Vulnerable to Clickjacking Attack!</p>

<iframe src=”https://www.redacted.com/" width=”1000" height=”500"></iframe>

</body>

</html>

Mitigation of Clickjacking attack:

To avoid clickjacking attacks you must enable X-Frame-Options and CSP-header.