Improper Restriction of Rendered UI Layers or Frames in demindiro/agreper


Reported on

Jan 24th 2023


It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.

Proof of Concept


Response headers

HTTP/1.1 200 OK
Server: gunicorn
Date: Tue, 24 Jan 2023 02:26:23 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 3922
Vary: Cookie
Set-Cookie: session=eyJfcGVybWFuZW50Ijp0cnVlLCJ1c2VyX2lkIjoxfQ.Y89Bzw.VbjbkgJ5kmuUVdpTYYS2rQDJyV8; Expires=Fri, 24 Feb 2023 02:26:23 GMT; HttpOnly; Path=/


According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery and may result in unauthorized actions.

We are processing your report and will contact the demindiro/agreper team within 24 hours. 10 months ago
10 months ago


@admin According to the you want to contact

We created a GitHub Issue asking the maintainers to create a 10 months ago
We have contacted a member of the demindiro/agreper team and are waiting to hear back 10 months ago
David Hoppenbrouwers validated this vulnerability 10 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Hoppenbrouwers marked this as fixed in 0.1.1b with commit 09f56b 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
David Hoppenbrouwers published this vulnerability 10 months ago
to join this conversation