NCIIPC Responsible Vulnerability Disclosure

1. Reporter’s Details
a) Full Name MANOJ T
b) Email [email protected]
c)Organisation/Company N/A
2. Vulnerability Details (Check mark)
a) Vulnerability Name Click Jacking
XSS SQLI Stack Overflow
LFI ■ Click Jacking User After Free
b)Vulnerability category XSRF Information Leakage Heap Overflow
Insecure Direct Object Reference Broken Authentication
Memory Corruption Security Misconfiguration
c) Description
(Use Separate Sheet for additional information)
Bug : Click Jacking
_______________________
Severity: Medium
3. Type of Vulnerability (Check ■ Web Application Operating System(OS)
mark) SCADA Any Other
Summary:
If other please describe in brief
Clickjacking is an attack that fools users into thinking they are clicking on one thing
4. Date when issue found 24/08/2022
(dd/mm/yyyy)
when they are actually clicking on another. Its other name, user interface (UI)
__________________________________________________________
redressing, better describes2.Put what issrc="https://www.annauniv.edu/"height="550px"
going on.The X-Frame-Options HTTP response
1.Create a new HTML file
<iframe width="700px"></iframe>
5. Steps to reproduce __________________________________________________________
3.Save the file
header can be used to indicate whether
4.Open
5.You
or not a browser should be allowed to render a
document in browser
__________________________
can see the website "https://www.annauniv.edu/" open in the html link.

page in
6. Whether a <frame>,
POC <iframe>, <embed>
screenshots/files/documents attached? or <object>. ■ Yes Sites can use this Noto avoid
7.click-jacking attacks,
Reported to Affected by ensuring that their content isYesnot embedded intoNoother sites.
Organisation?
8. Affected Organisation’s name Anna University
9. Affected Organisation’s URL https://www.annauniv.edu/
Steps to reproduce:
10. Affected Organisation’s email 1.Create a new HTML file
Web Application Client Software
2.Put <iframe src="https://www.annauniv.edu/"height="550px"
11. Vulnerable Product type Server Software Firmware
width="700px"></iframe>
Operating System Hardware
3.Save the file
12. Vulnerable Product name & Version Click Jacking
4.Open
13. If reported, Email ID to whom details sentdocument in browser
14. If 5.You can
reported, see
date thereported
when website "https://www.annauniv.edu/"
24/08/2022 open in the html link.
15. Patch released? Yes No
Impact:
16. If patch released, date of patch release
(dd/mm/yyyy)
Attacker
17. may tricked user, sending them (Yes/No)
Anonymity malicious link then user open it clicked some
image and their account unconsciously has been deactivated.

Solution:
The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP