Greetings team, I am a web security researcher and as an Ethical Hacker I found this vulnerability on the domain ' www[dot]yaara[dot]ai ' Vulnerability: CLICKJACKING DESCRIPTION : ClickJacking, also known as a 'UI redress attack', is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is 'hijacking' clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of style sheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. POC : (Save this as a .html file) <html> <head> <title>ClickJacking Test</title> </head> <body> <iframe width='1000' height='500' src= ' https://app.yaara.ai/login '> </iframe> </body> </html> Screenshot demonstrating the POC: IMPACTS: By using the Clickjacking technique, an attacker hijack the clicks meant for one page and routes them to another page, most likely for another application, domain, or both. Another scenario is like a user is tricked to click on something that he didn’t intend to, meaning an attacker could possibly make any actions that a user can do on the web app just like CSRF. Remediation: The frame busting technique is the better framing protection technique. Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains. For Fix: it is missing an X-FRAME header. an attacker with the help of some tricky CSS can trick users to click on the one-click actions. You should apply an X-FRAME header. Hoping to receive a bounty/reward for the responsible disclosure once it is validated. Thanks, Kind Regards Ryan
