BOOK THIS SPACE FOR AD
ARTICLE ADIn this article, we will discuss the Clickjacking vulnerability, how to find one, and present 25 disclosed reports based on this issue.
Clickjacking is a vulnerability through which users are tricked (visually) to click some buttons or UI elements of the parent page, but in reality they are clicking something in the vulnerable web application, because that is being hidden behind the UI of the parent page. Basically the clicks of the users are hijacked for another action within a different page.
It can lead to unrestricted actions being performed, malware download, likejacking (for social media pages), and more.
There are multiple ways of testing if there is any clickjacking possibility within a web application. The one that I use mostly is the Burp Clickbandit feature of the Burp Suite tool.
Another option would be to use an iframe on localhost for the website, as following:
<iframe src="URL"></iframe>Or, if you want to do it quickly, you can use the following website: https://www.lookout.net/test/clickjack.html
The solution to prevent against Clickjacking attacks is pretty straight-forward, just use the X-Frame-Options header. More you can find here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: Highly wormable clickjacking in player card
Company: Twitter
Bounty: $5,040
Link: https://hackerone.com/reports/85624
#2
Title: OAuth authorization page vulnerable to clickjacking
Company: Coinbase
Bounty: $5,000
Link: https://hackerone.com/reports/65825
#3
Title: Twitter Periscope Clickjacking Vulnerability
Company: Twitter
Bounty: $1,120
Link: https://hackerone.com/reports/591432
#4
Title: Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App
Company: Twitter
Bounty: $1,120
Link: https://hackerone.com/reports/643274
#5
Title: Stealing User emails by clickjacking cards.twitter.com/xxx/xxx
Company: Twitter
Bounty: $1,120
Link: https://hackerone.com/reports/154963
#6
Title: Clickjacking Periscope.tv on Chrome
Company: Twitter
Bounty: $560
Link: https://hackerone.com/reports/198622
#7
Title: ClickJacking on IMPORTANT Functions of Yelp
Company: Yelp
Bounty: $500
Link: https://hackerone.com/reports/305128
#8
Title: CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse.
Company: Yelp
Bounty: $500
Link: https://hackerone.com/reports/355859
#9
Title: Site-wide clickjacking at IE11
Company: New Relic
Bounty: $500
Link: https://hackerone.com/reports/614947
#10
Title: Bypass of the Clickjacking protection on Flickr using data URL in iframes
Company: Verizon Media
Bounty: $250
Link: https://hackerone.com/reports/7264
#11
Title: Make user buy items via clickjacking possibility
Company: Mail.ru
Bounty: $200
Link: https://hackerone.com/reports/471967
#12
Title: [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS
Company: Automattic
Bounty: $150
Link: https://hackerone.com/reports/953579
#13
Title: Modifying application settings via clickjacking on o2.mail.ru
Company: Mail.ru
Bounty: $150
Link: https://hackerone.com/reports/355774
#14
Title: Single Sing On — Clickjacking
Company: Semrush
Bounty: $150
Link: https://hackerone.com/reports/299009
#15
Title: Following links are vulnerable to clickjacking
Company: Semrush
Bounty: $150
Link: https://hackerone.com/reports/289246
#16
Title: Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point
Company: Mail.ru
Bounty: $150
Link: https://hackerone.com/reports/918923
#17
Title: Sensitive Clickjacking on admin login page.
Company: Shipt
Bounty: $100
Link: https://hackerone.com/reports/389145
#18
Title: self-xss with ClickJacking can leads to account takeover in Firefox
Company: Imgur
Bounty: $100
Link: https://hackerone.com/reports/892289
#19
Title: Clickjacking Vulnerability found on Yelp
Company: Yelp
Bounty: $100
Link: https://hackerone.com/reports/214087
#20
Title: Clickjacking at ylands.com
Company: BOHEMIA INTERACTIVE a.s
Bounty: $80
Link: https://hackerone.com/reports/405342
#21
Title: Modify account details by exploiting clickjacking vulnerability on refer.wordpress.com
Company: Automattic
Bounty: $75
Link: https://hackerone.com/reports/765355
#22
Title: Clickjacking on donation page
Company: WordPress
Bounty: $50
Link: https://hackerone.com/reports/921709
#23
Title: Clickjacking at https://www.mavenlink.com/ main website
Company: Mavenlink
Bounty: $50
Link: https://hackerone.com/reports/14631
#24
Title: Clickjacking
Company: Mavenlink
Bounty: $50
Link: https://hackerone.com/reports/21110
#25
Title: AWS S3 website can’t serve security headers, may allow clickjacking
Company: Legal Robot
Bounty: $40
Link: https://hackerone.com/reports/149572
#1
Title: Clickjacking in the admin page
Company: Rocket.Chat
Bounty: $0
Link: https://hackerone.com/reports/728004
#2
Title: Clickjacking on cas.acronis.com login page
Company: Acronis
Bounty: $0
Link: https://hackerone.com/reports/971234
#3
Title: Clickjacking In jobs.wordpress.net
Company: WordPress
Bounty: $0
Link: https://hackerone.com/reports/223024
#4
Title: Clickjacking in [exchangemarketplace.com]
Company: Shopify
Bounty: $0
Link: https://hackerone.com/reports/658217
#5
Title: Clickjacking wordcamp.org
Company: WordPress
Bounty: $0
Link: https://hackerone.com/reports/230581
#6
Title: URL is vulnerable to clickjacking
Company: MyCrypto
Bounty: $0
Link: https://hackerone.com/reports/712376
#7
Title: Clickjacking mercantile.wordpress.org
Company: WordPress
Bounty: $0
Link: https://hackerone.com/reports/264125
#8
Title: Get ip and Geo location any user via Clickjacking with inspectlet technology
Company: Acronis
Bounty: $0
Link: https://hackerone.com/reports/998555
#9
Title: Clickjacking on authorized page https://wakatime.com/share/embed
Company: WakaTime
Bounty: $0
Link: https://hackerone.com/reports/244967
#10
Title: Clickjacking — https://mercantile.wordpress.org/
Company: WordPress
Bounty: $0
Link: https://hackerone.com/reports/258283
Many thanks, and wish you a beautiful day!