website takeover using clickjacking about bitcoincore.org HOT 7 CLOSED

This repo is for bitcoincore.org, not bitcoin.org.

bitcoincore.org is a static website, there is nothing to clickjack.

If an attacker can direct a user to a malicious site where they can be clickjacked to click a malicious link, the attacker can also just setup a clone of bitcoincore.org on that malicious site and fill it with malicious links without needing to do any clickjacking. The website is static, and it's full source code is right here.

from bitcoincore.org.

Which part of "please describe actual impacts" did you not understand?

I don't care about what your scanner says. Describe what an attacker can actually do.

from bitcoincore.org.

sorry so to say Sir, what you have said above is that the attacker can attack by cloning, but according to me, no matter how much the attacker clones, he cannot use your URL. sir can you provide me any milestone or anything

thank yo so much for your guidance

from bitcoincore.org.

Please describe actual impacts of your supposed vulnerability by using and demonstrating it on bitcoincore.org. Do not make vague statements about what clickjacking (or any other "vulnerability" you decide to report from your scanner) can do, describe actual effects on this specific website. Otherwise, this is just spam and noise and you've contributed nothing of use. Continue to do so and you will be blocked.

bitcoincore.org is not a web application. There are no accounts, no forms for users to submit, nothing. It's a static site with a bunch of links. If clickjacking allows an attacker to trick users to click on links/buttons that do something unexpected but still on the bitcoincore.org domain, then all they've done is redirect the user to some other static page.

from bitcoincore.org.

sir same clickjacking are also available in https://bitcoincore.org/

from bitcoincore.org.

The attack is possible thanks to HTML frames (iframes), the ability to display web pages within other web pages through frames. If a web page allows itself to be displayed within a frame, an attacker can cover the original web page with a hidden, transparent layer with its own JavaScript and UI elements. The attacker then tricks users into visiting the malicious page, which looks just like a site users know and trust. There is no indication there is a hidden UI layered over the original site. Users click a link or a button, expecting a particular action from the original site, and the attacker’s script runs instead. But the attacker’s script can also execute the expected action to make it appear nothing has gone wrong. Clickjacking itself is not the end goal of the attack; it is simply a means of launching some other attack by making users think they are doing something safe. The actual attack can be virtually anything possible via web pages. This ranges from malicious actions, such as installing malware or stealing credentials, to more innocuous things, such as boosting click stats on unrelated sites, boosting ad revenues on sites, gaining likes on Facebook, or increasing views of YouTube videos.

Testing

Clickjacking test – Is your site vulnerable? A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to execute the test code on another web server, because this is the typical behavior in a clickjacking attack. Use code like the following, provided as part of the OWASP Testing Guide: <title>Clickjack test page</title>

Website is vulnerable to clickjacking!

Thank you

from bitcoincore.org.

It's clear you have no idea what you're actually doing and are just spamming automated scanner reports.

from bitcoincore.org.