Social Icons

Wednesday, 25 March 2015

The Nokia browser Bug

Well I have been quite INACTIVE from a long time. Due to failing in exams, had to leave everything and open my book. Well here is an old Nokia browser bug (for Symbian) which was declared as wont fix by Nokia.

Test device :- nokia 5233
vulnerable application :- Nokia browser 7.3.1.33


Everyone is quite well aware of clickjacking bugs.

If you don't then read it out.

https://www.owasp.org/index.php/Clickjacking

Most of the website owners use x-frame header option to avoid click jacking over their website. And this feature is supported by almost all browser.



As it can be seen in the above image Google uses x-frame-options. So if you try to open their website in an iframe...



The website wont load . But...

When the same thing

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://www.google.com" width="350" height="400"></iframe>
</body>
</html>
Was opened in a Nokia symbian browser


Buuhahahah. Kind of universal clickjacking .

Well opera browsers were not vulnerable :)




 I reported it on 21st march 2013

But they said they wont fix


There can be many reasons for not fixing. The best one I guess is they are busy manufacturing Lumia and Symbian are out of the game :D.
But they should have fixed it because clickjacking is quite harmful in some of the cases and is even used as a catalyst for crsf attacks. Suppose you are visiting an xyz website. And the bad website owner has found a csrf bug . He hides the payload in a frame inside his webpages. Sets the height and width of the frame to zero or changes the opacity to make it invisible and everything will go un-noticed. Even applicable for an xss bug . Executing xss and csrf inside an invisible frame  has least probability of suspicion rather than crafting the payload url and send mails or use your ninja S.E tricks to take over the victim.


Cheers :)
Sorry for a very late post :)

4 comments:

Aditya Joshi said...

thankx 4 this wonderfull article, I dont know how click jacking works but after reading this article, now i have some knowledge about clickjaking...... thankx CyberBoy

Shashank said...

Glad it was useful for u :)

Aditya Joshi said...

Bro can u post some more articles about Click jacking so that i can learn more....

khosi.vn said...

Hướng dẫn cách may drap giường đơn giản, bạn có thể may cho gia đình bạn những bộ chăn ga gối đệm ngay tại nhà. Chúng tôi chuyên cung cấp bộ chăn ga gối đệm khách sạn cao cấp với giá cả hợp lý nhất. Nhiều bạn đọc thắc mắc rằng chăn điện có an toàn không? Hãy cùng likado tìm hiểu rõ hơn về vấn đề ngày trong bài viết này nhé.
Tổng hợp Kinh nghiệm mua hàng trên Amazon se giúp bạn chọn mua được những món hàng tốt nhất từ Amazon. Tham khảo thêm Làm thế nào để mua hàng trên amazon.