search

codemonkey-uk / gawm

GAWM on github is an api & browser UI to facilitate remote-play of Getting Away With Murder, a co-operative role-play game of drama, wit, and mystery.
http://gawm.link
0 stars 0 forks source link

Bug: X-Frame-Options not set #127

Open codemonkey-uk opened 1 month ago

codemonkey-uk commented 1 month ago

The following email was sent to the site contact email. A quick google suggests the Vulnerability is real even if the email may be phishing.

Hello Team,

I have identified a security issue in your system related to the vulnerability 'Missing X-Frame-Options Header Vulnerability'.

Vulnerability Details:

  • Vulnerability Type: Missing X-Frame-Options Header Vulnerability
  • Affected URL: https://gawm.link/
  • Severity: Medium

Description: A security vulnerability has been detected in your system. This vulnerability is related to 'Missing X-Frame-Options Header Vulnerability', which may expose your system to potential issues.

Impact: Impact:

  1. Clickjacking: Attackers may embed your website in a malicious frame and trick users into interacting with it.
  2. Data Theft: Sensitive information might be exposed through malicious user interactions.
  3. Loss of Trust: Users may lose trust in your site's security if exploited.

Recommendation: Recommendation:

  1. Add the 'X-Frame-Options' HTTP header to prevent embedding your site in a frame.
  2. Configure it to 'DENY' or 'SAMEORIGIN' to block all or limit the framing to the same origin.
  3. Test your site's security headers using tools like

Proof of Concept (PoC): Here is an HTML code to demonstrate the vulnerability:

<!DOCTYPE html>

Clickjacking PoC

Welcome to My Site

If you click the button below, you're actually clicking a hidden button on another website!