I noticed that Hootsuite doesn't have a protection for clickjacking so i tested if it is vulnerable to that attack and it was after submitting the report they immediately deployed a fix: The javascript code for framebusting above breaks your ordinary framing code e.g. \<\iframe \src=\"hootsuite.com\" \width\=\"500\" \height\=\"\500\"\>\<\/\iframe\>\ . Even though trying double-framing strategy (inserting the first frame into the second frame) won't work src: OWASP Defense Sheet So, how do we have been breaking it? A write up from Paulos Yibelo regarding facebook clickjacking gave me an idea. The bypass script and the output Thanks for taking time to read. To God Be the Glory.
HTML injections are just minor bugs which allows an attacker to command a webserver to interpret his malicious inputs. The bug relies on the ec parameter. If you put anything after that the website interprets it's function, the cause was lack of proper input validations. Vuln. url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec= Injected url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec= %3Ch1%3E%3Cmarquee%3Einjected%20by%20russel%20van%3C/marquee%3E%3C/h1%3E Immediately they filed a fix to this one. Another logical vulnerability was an information disclosure. This bug is much more sensitive as it shows the programming language used,server and full path disclosures. The bug relies on password reset page after you've sent your email,quite rare logical as behaviors like that rarely exist on sites. Pocs: