Comments (5)
Hey @pauliusjacionis, thanks for raising this! I saw a bug bounty report similar to what you mentioned using this tool to bypass X-Frame-Options, and the reporter suggested using the "Content-Security-Policy: frame-ancestors 'self';" header. Any thoughts on alternative measures that can be implemented besides depending solely on the CSP header?
Proxy servers can strip headers, meta tags, and modify HTML. The suggested solution would not fix the "vulnerability".
This is a scam. There is no vulnerability, and there is no fix.
The scammers claim they can clickjack your website, but that is not what is happening. They are clickjacking a different domain name. Sure, it appears to be your website, but it is not. It's just a live copy of your website. They could simply upload a copy of your website's HTML on their server and achieve the same resultβno proxy needed.
from x-frame-bypass.
We have had a similar attempt at my company. All that was shown as evidence was a sign in page on their localhost as well as the HTML from that page they were hosting. Just to reaffirm others, @pauliusjacionis is correct as far as I can tell with a quick dive into it.
from x-frame-bypass.
Hey @pauliusjacionis, thanks for raising this! I saw a bug bounty report similar to what you mentioned using this tool to bypass X-Frame-Options, and the reporter suggested using the "Content-Security-Policy: frame-ancestors 'self';" header. Any thoughts on alternative measures that can be implemented besides depending solely on the CSP header?
from x-frame-bypass.
Thanks for posting the clarification. Bug bounty scammers are still active. Please consider pinning this issue or add a small reference in the readme
from x-frame-bypass.
+1, just received one too and was highly sceptical as usual (I couldn't see how this could be exploited for real) but I didn't know about this so I investigated a bit to learn about the CSP attribute they mention. Thanks for confirming here as it saved me some reading and testing πββοΈ . I guess this is a good "vulnerability" for the scammers because it is:
- Rather new and unknown to most web dev
- Easy to show a simple screenshot as "proof"
- Easy to automate to find websites which have one header but not the CSP
As I checked this project right after receiving the report, I agree with @HansSchouten it would be nice to add some line to the readme just to warn the future victims and save them some time. I understand this shouldn't be the responsibility of the library writer to deal with scammers, but unfortunately I don't see a better place to help the targets.
from x-frame-bypass.
Related Issues (20)
- Fonts don't load
- Should warn users about privacy implication HOT 3
- [Request] Make proxy usage optional through an attribute
- steam doesnt work
- CORS Issue with Angular
- Firefox: Links are blue rather than styled by page
- X Frame Bypass not working at all. HOT 7
- The Iframe take 30s to show him
- it does not work for microsoft online word
- .
- Not Working in React App. HOT 1
- x-frame-bypass.js:68 Cannot load X-Frame-Bypass: Error: 400 HOT 1
- keeps loading foreever HOT 8
- about:srcdocs Error
- Doesn't work in Chrome extensions HOT 12
- Cannot navigate inside iframe HOT 2
- Loading Spacedesk breaks CSS
- Loading iFrame in iFrame doesn't work
- why is google french? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from x-frame-bypass.