Improper Restriction of Rendered UI Layers or Frames in demindiro/agreper
Reported on
Jan 24th 2023
Description
It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.
Proof of Concept
http://localhost:8000/admin/
Response headers
HTTP/1.1 200 OK
Server: gunicorn
Date: Tue, 24 Jan 2023 02:26:23 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 3922
Vary: Cookie
Set-Cookie: session=eyJfcGVybWFuZW50Ijp0cnVlLCJ1c2VyX2lkIjoxfQ.Y89Bzw.VbjbkgJ5kmuUVdpTYYS2rQDJyV8; Expires=Fri, 24 Feb 2023 02:26:23 GMT; HttpOnly; Path=/
Impact
According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery and may result in unauthorized actions.
@admin
According to the README.md you want to contact agreper+security@demindiro.com.
https://github.com/Demindiro/agreper/blob/master/README.md?plain=1#L3
SECURITY.md
10 months ago
