Improper Restriction of Rendered UI Layers or Frames in kestasjk/webdiplomacy


Reported on

Jun 8th 2021

✍️ Description

It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The file does not set the response header X-Frame-Options: DENY. This issue can be found from the root path to other paths under this one.

🕵️‍♂️ Proof of Concept

Create a html file with the following content:

// frame.html
<body><iframe src="" height="1080" width="1920"></iframe></body>

Then, access the file with a browser. The page is framed.

💥 Impact

According to PortSwigger references, it might be possible for a page controlled by an attacker to load webDiplomacy website within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.

2 years ago


(sorry, some weird bugs happened when uploading the disclosure detail). The Permalink is

2 years ago


Hmm, appreciate you having a look. I'll make this change next time I do a commit, but it's pretty hard to think of an attack scenario this could bring about.

2 years ago


Forgot to mention I don't think this site has that header either

Kestas "Chris" Kuliukas marked this as fixed with commit 01ca7e 2 years ago
Kestas "Chris" Kuliukas has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation