Frameable response (potential Clickjacking)

[sveeke]

The application surf-dev2.edubadges.nl fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it is possible for a page controlled by an attacker to load it within an iframe.

[sveeke]

It is possible to embed the website in an iframe that could be used for clickjacking.

Example POC:

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="https://surf-dev2.edubadges.nl/recipient/badges" width="100%" height="100%"></iframe>
   </body>
</html>

impact:
This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery and may result in unauthorized actions.

recommendation:
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.