nuxt.com icon indicating copy to clipboard operation
nuxt.com copied to clipboard
verified publisher icon nuxt

Vulnerability type Click Jacking

Open raza234 opened this issue 4 years ago • 4 comments

Hi team,

This time i founded this vulnerability in your website: https://nuxtjs.org/ nuxt clickjacking

Click jacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a click jacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or

This vulnerability affects Web Server.

Here are the steps to reproduce the vulnerability:

1.open notepad and paste the following code.

i Frame

This is clickjacking vulnerable

2.save it as .html eg s.html

3.and just simply open that...

OR Copy the link below and paste on your updated browser (Chrome,Firefox). https://clickjacker.io/test?url=https://nuxtjs.org/ As far as i know this data is enough to prove that your site is vulnerable to Click jacking according to OWASP its more than enough.

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)

SOLUTION:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Check this out and here is the solution for that.

I Hope that you will fix this issue as soon as possible. Looking forward to hear from you. Thank you

Sincerely, Hassan Raza

raza234 avatar Nov 25 '21 09:11 raza234

Thanks for your contribution to Nuxt! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you would like this issue to remain open:

  1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
  2. Comment the steps to reproduce it

Issues that are labeled as pending will not be automatically marked as stale.

stale[bot] avatar Apr 17 '22 10:04 stale[bot]

Yes I still can reproduce this issue after you update you version.

Here are the steps to reproduce the vulnerability:

1.open notepad and paste the following code.

i Frame This is clickjacking vulnerable 2.save it as .html eg s.html

3.and just simply open that...

OR Copy the link below and paste on your updated browser (Chrome,Firefox). https://clickjacker.io/test?url=https://nuxtjs.org/

raza234 avatar Apr 17 '22 10:04 raza234

This still applies to nuxt.com. Mitigating this potential issue would mean that the docs can't be used inside an iframe anymore.

TheAlexLichter avatar Dec 24 '23 00:12 TheAlexLichter

As long as it's SSG, we cannot do much about it as we don't control the headers (as far as I know).

Anyway, we don't use cookie for our websites so should be fine, and if they are, we are using the SameSite lax policy.

atinux avatar Dec 27 '23 17:12 atinux