[BUG]: clickjacking vulnerability

While performing security testing https://code4rena.com/I have found the vulnerability called Clickjacking.

What is Clickjacking ? Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. Steps to Reproduce: Put <a rel="noreferrer nofollow" target="_blank" href="https://code4rena.com/">https://code4rena.com/</a> url in the code of iframe, which is given below <title>I Frame</title> clickjacking vulnerability <iframe src="https://code4rena.com/" height="550px" width="700px">

By Dinesh11

Notice that site is visible in the Iframe

Impact: This is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online or Stealing NFTs. Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page

I personally believe this issue can be closed, clickjacking shouldn't be relevant to this website/DApp especially considering any important 'write' actions involve using a web3 wallet which has 2-step confirm (outside the webpage) by default. The attack assumes the user is already visiting a malicious website (or this website is already been taken over and this website is instead clickjacking another website which isnt mentioned, but probably equally relevant) which makes it a moot point imo

One other thing to point out is that techniques to prevent the website showing up in an iframe will break functionality in some web3 mobile wallet browsers like metamask, making those users unable to open the website, and those techniques dont 100% prevent clickjacking anyway

Also this is a public repo, so a more effective attack than creating a non-relevant phising website and hiding this one in an invisible iframe is to just fork this one and create a direct phising website instead, easier to trick people that way

code-423n4 / code423n4.com

[BUG]: clickjacking vulnerability #3861