Clickjacking vulnerability at https://alpha.pstake.finance

[Shashank-In]

Describe the bug Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.https://cwe.mitre.org/data/definitions/451.html

To Reproduce

1. Save the below code in an HTML file and we will notice that the web application can be iframed.

<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>i Frame</title>
</head>
<body>
<h3>This is clickjacking vulnerable</h3>
<iframe src="https://alpha.pstake.finance" frameborder="200 px" height="500px">
</body>
</html>

Expected behaviour The web application should not allow the application to be loaded inside an iframe

Screenshots

Desktop (please complete the following information):

• Browser chrome, safari, firefox
• Version [latest]

Smartphone (please complete the following information): All devices

Additional context Suggested Fix:

1. Use the X-Frame-Options: DENY HTTP response header on pages with sensitive information, to disallow framing of the page on external resources.
2. In the case where DENY is not an option, use X-Frame-Options: SAMEORIGIN.
3. Implement Content Security Policy with the directive frame-ancestors set to 'none', 'self', or the additional domains that are allowed to iframe the application.

Ethereum address 0xdc3442769DB7D34e6468Ded0b9B2a1baa4630C99

Criticality Assessment Please pick one:

• [x] Low: An issue that might cause user dissatisfaction or minimal failure of the application

Checklist

• [x] The reported issue is in the scope of the pStake BugBounty program.
• [x] This issue has not been reported before.
• [x] The ethereum address filled in is valid.

[Shashank-In]

screenshot

[vision2point0]

pSTAKE is a react app which is a javascript drive SPA. X-Frame-Options is a HTTP header and setting it depends on the application you use as HTTP server, not on the files being served. Not sure if this is relevant in our scenario unless you can provide a very specific example of an attack vector.

[Shashank-In]

@aditim121 I am not sure about the relevance of your statement. Crafting an attack vector for a PoC will be very time taking so I created a vulnerability POC rather than an exploit. I do agree the impact is low but the attack vector is self-explanatory. https://auth0.com/blog/preventing-clickjacking-attacks/ And as far as I know, be it react app or any. Clickjacking can be fixed. Or at least a frame buster can be implemented. Ref: https://en.wikipedia.org/wiki/Framekiller

[kombos]

since this is a blockchain based app, one can only create transactions which are part of the smart contract, and only using their keys stored in metamask. even in the scenario of such a clickjacking attack vector, ultimately the txn cannot be spoofed to a different smart contract since metamask provides complete data before sending the txn.