Vulnerable URL : https://vfat.io/ Severity : Critical I am writing to inform you about a critical vulnerability that we have identified on your website, which poses a severe risk to your application and its users, and we have discovered a series of interconnected vulnerabilities that will be exploited through clickjacking on the login functionality. Our assessment has revealed that your entire application is vulnerable to clickjacking attacks, thereby exposing your system and users to significant security risks. This vulnerability enables attackers to exploit multiple attack vectors, including account takeover, cross-site scripting (XSS), DOM-based XSS, CSRF attacks, account deletion, user account privilege escalation, victim privilege escalation, malware execution, victim PC hijack, and unauthorized access to user accounts. We have shown you only the login endpoint of your application to make you understand the flaw. This allows malicious actors to manipulate the login process and trick users into unknowingly providing their login credentials. By leveraging this vulnerability, attackers will be able to gain unauthorized access to any user account, potentially compromising sensitive user data and enabling further malicious activities within your system. In the login endpoint, attackers will be able to exploit this vulnerability to steal users' login credentials using X-frame (clickjacking) attacks. By leveraging this flaw, they will be able to gain unauthorized access to any user account, compromising the security and privacy of their email and password. Steps to Reproduce: To demonstrate the vulnerability and its potential impact, we have outlined the following steps to reproduce the exploit: 1) Open a text editor, such as Notepad, and paste the provided code snippet: <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title>i Frame</title> </head> <body> <h3>This is clickjacking vulnerable</h3> <iframe src=" https://vfat.io/ " frameborder="200 px" height="500px" width="1000px"></iframe> </body> </html> 2) Save the file with any name, for example, "s.html". 3) Open the saved HTML file in a web browser. Proof of concept: See the attached file. Impact: As it's found to be vulnerable in your whole application endpoints so attackers will be able to do a lot onto your application and onto your users. Attackers will be able to perform credentials stealing which will grant unauthorized access to any user account. More attackers will be able to perform DOM based xss on your users, csrf attacks, cross site scripting attacks, deletion of account, malware execution and in successful malware execution on victim will grant victim PC hijack as well to the attackers. For the login endpoint, Attackers will be able to take over the account of any user using this vulnerability. Attackers will be able to have unauthorized access to any user account enabling each user account privileges. Thus, victim privilege escalation will be performed by attackers. Attackers will be able to take over any account using this attack/vulnerability and perform other malicious attacks. Attackers will be able to take over all the user accounts of your application using this vulnerability. Attackers will be able to have unauthorized access on all the users accounts registered on your application. Also attackers will be able to chain this with other attacks as well like cross site scripting attacks. Attackers will be able to execute malicious scripts on victims using X-Frame (Clickjacking) exploit. Attackers will totally have control on the victim PC as well using x-frame exploits by chaining them with cross site scripting attacks. Attackers will be able to execute malware on victims by chaining them with cross site scripting attacks which will lead to the malware execution on the victim enabling user account privilege escalation, victim privilege escalation and victim PC hijack. Mitigations: To mitigate the clickjacking vulnerability and enhance the security of the login page, we recommend the following measures: Implement X-Frame-Options: Set the X-Frame-Options header to deny or same-origin to prevent your login page from being loaded within an iframe on other domains. Content Security Policy (CSP): Utilize a well-defined CSP to restrict the loading of your login page on external domains, thereby mitigating clickjacking attacks.