This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 271430

Summary: Click Jacking Vulnerability Report
Product: www Reporter: paraywala
Component: AdminAssignee: Jan Pirek <jpirek>
Status: CLOSED WONTFIX    
Severity: normal    
Priority: P1    
Version: 8.1   
Hardware: PC   
OS: Windows 8.1   
Issue Type: DEFECT Exception Reporter:
Attachments: Click Jacking bug report poc

Description paraywala 2017-09-04 20:51:56 UTC 
Created attachment 165086 [details]
Click Jacking bug report poc

Bug Type : ClickJacking
Checked in : Google Chrome
OS : Windows 8.1
Domain="https://netbeans.org/" 
Impact : Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
POC:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p><center>Website is vulnerable to clickjacking.</center></p>
<iframe src="https://netbeans.org/" width="1247" height="800"></iframe>
</body>
</html>
.Save it as anyname.html eg: test.html

3.And simply just browse that html page

POC is attached
Regards,
Raja Ahtisham,
Web security researcher.
Comment 1 Jiri Kovalsky 2017-09-05 14:38:58 UTC 
Thanks for the report. We will be soon migrating to Apache infrastructure. Closing as WONTFIX.
Comment 2 Jiri Kovalsky 2017-09-05 14:39:30 UTC 
Closing.