Posts

Showing posts from July, 2017

Google(Apigee.com) ClickJacking Vulnerability

Image
Hi folks,  This post is about one of my recent finding in apigee.com which was acquire by google in 2016. So i was monitoring request and responses, i  noticed the following endpoint which has X-frame-options response header missing as shown in the below image. https://apigee.com/platform/<orgnization_name>/users/<user_email> So i quickly visited the page and there is a option to remove the user as shown in the below image. In this case if the attacker is inside the origination he can easily trick the administrator to remove other users.  Working POC:                                  Response from the google Sad story :p  Thanks for reading ;)