Comments (7)
This repo is for bitcoincore.org, not bitcoin.org.
bitcoincore.org is a static website, there is nothing to clickjack.
If an attacker can direct a user to a malicious site where they can be clickjacked to click a malicious link, the attacker can also just setup a clone of bitcoincore.org on that malicious site and fill it with malicious links without needing to do any clickjacking. The website is static, and it's full source code is right here.
from bitcoincore.org.
Which part of "please describe actual impacts" did you not understand?
I don't care about what your scanner says. Describe what an attacker can actually do.
from bitcoincore.org.
sorry so to say Sir, what you have said above is that the attacker can attack by cloning, but according to me, no matter how much the attacker clones, he cannot use your URL. sir can you provide me any milestone or anything
thank yo so much for your guidance
from bitcoincore.org.
Please describe actual impacts of your supposed vulnerability by using and demonstrating it on bitcoincore.org. Do not make vague statements about what clickjacking (or any other "vulnerability" you decide to report from your scanner) can do, describe actual effects on this specific website. Otherwise, this is just spam and noise and you've contributed nothing of use. Continue to do so and you will be blocked.
bitcoincore.org is not a web application. There are no accounts, no forms for users to submit, nothing. It's a static site with a bunch of links. If clickjacking allows an attacker to trick users to click on links/buttons that do something unexpected but still on the bitcoincore.org domain, then all they've done is redirect the user to some other static page.
from bitcoincore.org.
sir same clickjacking are also available in https://bitcoincore.org/
from bitcoincore.org.
The attack is possible thanks to HTML frames (iframes), the ability to display web pages within other web pages through frames. If a web page allows itself to be displayed within a frame, an attacker can cover the original web page with a hidden, transparent layer with its own JavaScript and UI elements. The attacker then tricks users into visiting the malicious page, which looks just like a site users know and trust. There is no indication there is a hidden UI layered over the original site. Users click a link or a button, expecting a particular action from the original site, and the attacker’s script runs instead. But the attacker’s script can also execute the expected action to make it appear nothing has gone wrong. Clickjacking itself is not the end goal of the attack; it is simply a means of launching some other attack by making users think they are doing something safe. The actual attack can be virtually anything possible via web pages. This ranges from malicious actions, such as installing malware or stealing credentials, to more innocuous things, such as boosting click stats on unrelated sites, boosting ad revenues on sites, gaining likes on Facebook, or increasing views of YouTube videos.
Testing
Clickjacking test – Is your site vulnerable? A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to execute the test code on another web server, because this is the typical behavior in a clickjacking attack. Use code like the following, provided as part of the OWASP Testing Guide: <title>Clickjack test page</title>
Website is vulnerable to clickjacking!
<iframe src="http://www.yoursite.com/sensitive-page" width="500" height="500"></iframe> View the HTML page in a browser and evaluate the page as follows: If the text “Website is vulnerable to clickjacking” appears and below it you see the content of your sensitive page, the page is vulnerable to clickjacking. If only the text “Website is vulnerable to clickjacking” appears, and you do not see the content of your sensitive page, the page is not vulnerable to the simplest form of clickjacking.Thank you
from bitcoincore.org.
It's clear you have no idea what you're actually doing and are just spamming automated scanner reports.
from bitcoincore.org.
Related Issues (20)
- Origin IP found, Cloudflare bypassed | Non-Cloudflare IP HOT 1
- Improper Access Control HOT 10
- Missing linked file HOT 1
- Brad Searls BMFS13
- Re-upload Bitcoin whitepaper after UK judge ruling HOT 1
- Storage required considerably more than 6GB now.
- .
- .
- Is there Bitcoin Core 32 bits for Windows? HOT 1
- .
- Dependencies don't match available versions HOT 4
- Add 24.0.1 release notes HOT 2
- Link to Builder keys is broken HOT 2
- RPC docs seem to be missing for 25.0 HOT 1
- Typing error in the French version of the whitepaper HOT 1
- Hidden Service down/unreachable HOT 6
- bitcoincore.org server with IP 107.191.99.5 down HOT 3
- Publish help text for the configuration options on website HOT 1
- Revoked key for verification HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bitcoincore.org.