Page 1 of 1

testing the functionality of this form

Posted: Thu Apr 16, 2020 2:20 am
by testnowplease
it's just the admin demo page is vulnerable to clickjacking and if the Overlay is done by the attacker properly it could lead to account Takeover
the affected URL : https://demo.opencart.com/admin/
just any intercepting Proxy you are using and send a request and see the response and you will find that there is not X-Frame-Options , Or CSP(frame ansectors) Headers to prevent it from happen
the payload to use to check :

Code: Select all

<!DOCTYPE HTML>
<html>
<body>
	<center><iframe src="https://demo.opencart.com/admin/" width="1000px" height="1000px"></center>
</body>
</html>
Mitigation :
just add a X-Frame-Options Header

Re: testing the functionality of this form

Posted: Thu Apr 16, 2020 2:29 am
by straightlight
This topic has now been moved to the Other > Website Suggestions section of the forum.

Re: testing the functionality of this form

Posted: Thu Apr 16, 2020 2:30 am
by straightlight
I would suggest contacting site support from the contact us link of this website to submit this change. The Opencart team will review it as soon as possible.