Hi, As an Ethical Hacker I have found some vulnerabilities in your website chainplay.gg , one of which is "CLICKJACKING". DESCRIPTION: Clickjacking is an interface-based attack in which a user is tricked into clicking on an actionable content on a hidden website by clicking on some other content in a decoy website. Also known as "UI redress attack". It is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it. The invisible page could be a malicious page, or a legitimate page the user did not intend to visit (which has been happening alot recently). Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the hacker. POC: <html> <body> <iframe height="500" width="500" src=" https://chainplay.gg/login/ " ></iframe> </body> </html> IMPACTS: By using Clickjacking technique, an attacker hijack's clicks meant for one page and routes them to another page, most likely for another application or domain.Thus, gathering the sensitive and secret information of your customers. for more details: https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/ REMEDIATION: Frame busting technique is the better framing protection technique. Sending the proper X-Frame Options HTTP response headers that instruct the browser to not allow framing from other domains. FIX: An "X-FRAME" header needs to be applied which will not allow other domains to frame you. Looking forward to hear from you soon on this and to report further bugs. Regards, Phoenix
