Vulnerability type Click Jacking

[raza234]

Hi team,

This time i founded this vulnerability in your website:
https://nuxtjs.org/

Click jacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a click jacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or <iframe>. Sites can use this to avoid click jacking attacks, by ensuring that their content is not embedded into other sites.

This vulnerability affects Web Server.

Here are the steps to reproduce the vulnerability:

1.open notepad and paste the following code.

<title>i Frame</title>

This is clickjacking vulnerable

<iframe src=" https://nuxtjs.org/ " frameborder="2 px" height="500px" width="500px"></iframe>

2.save it as .html eg s.html

3.and just simply open that...

OR
Copy the link below and paste on your updated browser (Chrome,Firefox).
https://clickjacker.io/test?url=https://nuxtjs.org/
As far as i know this data is enough to prove that your site is vulnerable to Click jacking
according to OWASP its more than enough.

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)

SOLUTION:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Check this out and here is the solution for that.

I Hope that you will fix this issue as soon as possible. Looking forward to hear from you. Thank you

Sincerely,
Hassan Raza

[stale]

Thanks for your contribution to Nuxt!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:

1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
2. Comment the steps to reproduce it

Issues that are labeled as pending will not be automatically marked as stale.

[raza234]

Yes I still can reproduce this issue after you update you version.

Here are the steps to reproduce the vulnerability:

1.open notepad and paste the following code.

<title>i Frame</title> This is clickjacking vulnerable <iframe src=" https://nuxtjs.org/ " frameborder="2 px" height="500px" width="500px"></iframe> 2.save it as .html eg s.html

3.and just simply open that...

OR
Copy the link below and paste on your updated browser (Chrome,Firefox).
https://clickjacker.io/test?url=https://nuxtjs.org/

[manniL]

This still applies to nuxt.com. Mitigating this potential issue would mean that the docs can't be used inside an iframe anymore.

[Atinux]

As long as it's SSG, we cannot do much about it as we don't control the headers (as far as I know).

Anyway, we don't use cookie for our websites so should be fine, and if they are, we are using the SameSite lax policy.