Report ID
#27100
Report type
Websites and Applications
Has PoC?
Yes
Target
https://basin.exchange
Impacts
- Persistent content spoofing / text injection issues
Description
Hello Team,
I hope you are doing well. I found another security issue on https://basin.exchange/. See the details below
A clickjacking vulnerability has been identified on the https://basin.exchange/ platform. Clickjacking is a security vulnerability that allows an attacker to trick users into clicking on elements unknowingly, potentially leading to unintended actions being performed
Impact
Clickjacking vulnerabilities can lead to unauthorized actions, potential data exposure. This poses a risk to the integrity and security of user interactions on the basin.exchange platform
Fix
Implement measures to mitigate clickjacking vulnerabilities, such as adding the X-Frame-Options header to prevent the platform from being embedded within iframes or frames on malicious websites. Additionally, review and update the platform's frontend code to ensure that user interactions are properly validated and protected against clickjacking attacks
Steps to Reproduce
- Open https://www.clickjackingtest.com/ (My own web to test iframe)
- Enter the URL :Â https://basin.exchange/Â and click on submit
Observe the web app https://basin.exchange/ is embedded in iframe
Reference
https://medium.com/metamask/metamask-awards-bug-bounty-for-clickjacking-vulnerability-9f53618e3c3a
https://hackerone.com/reports/591432