Missing X-Frame-Options Header In Dsound

in #utopian-io7 years ago (edited)

Components

Dsound.audio is vulnerable to Clickjacking. Clickjacking is a technique of fooling a web user by creating a special webpage. In that webpage attacker can make user to do a special task and then attacker may get victim's confidential data or attacker can make victim to do upvotes or follow to particular user.

image.png

Proposal

Dsound.audio should add X-Frame-Options. X-Frame-Options (XFO) header takes one of three values: DENY, SAMEORIGIN, or ALLOW-FROM. DENY option to display of the page within a frame. SAMEORIGIN allows the page to be framed but only by pages with the same origin. The ALLOW-FROM value is used to together with a specific domain.

Examples

Before implementing X-frame-option.
image.png

After implementing X-frame-option.
image.png

Poof-Of-Concept

<iframe src="https://dsound.audio/#!/feed" height="500px" width="500px">
  <p>Your browser does not support iframes.</p>
</iframe>

Benefits

After implementing this, Dsound.audio will not open in iframe tag. That means it will be safe from clickjacking bug as well as from attacker too.


Posted on Utopian.io - Rewarding Open Source Contributors

#dsound #bug #development
7 years ago in #utopian-io by
$0.00
    4 votes
    Reply 1
    Sort:  
  • Trending
    • [-]
     7 years ago 

    Your contribution cannot be approved because it does not follow the Utopian Rules.

    • The Github repository linked to a Utopian contribution post must contain the project’s source code, a readme and a license.

    You can contact us on Discord.
    [utopian-moderator]

    $0.00
      Reply

      Coin Marketplace

      STEEM 0.19
      TRX 0.15
      JST 0.029
      BTC 62869.05
      ETH 2545.35
      USDT 1.00
      SBD 2.72