ClickJacking Vulnerability — Exploiting HTML5 Security Features

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me:


Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best! is one of the oldest and most respected names in online binary trading, Using, customers can trade currencies, indices, stocks and commodities 24/7. is owned and operated by the Binary Ltd. group of companies. In the UK and Isle of Man, clients trade through Binary (IOM) Ltd. In the European Union (except UK), they trade through Binary (Europe) Ltd and Binary Investments (Europe) Ltd. In the rest of the world, they trade through Binary (C.R.) S.A.

The bug:

While Doing Pentesting/BugHunting I aslo love to test subdomains not only the mine site so i started testing subdomain and found that’s not protected against clickjacking vulnerability neither with the typical “X-Frame-Options” nor with the JS frame busting technique that means a malicious attacker capable of iframing the whole service and tricking the end-users to perform unwanted actions!

So I have Reported this vulnerability to with this PoC:

<iframe src="" width=600 height=400>
<p>Your browser does not support iframes.</p>

then i got this reply from security team in the same day

Image for post
Image for post

and after two day’s i received reply that the issue has been fixed.

Image for post
Image for post

i’m always love to bypass the resolved issue, now comes the fun bit.

i started looking how the security team fixed this vulnerability i mean if the vulnerability patched by adding X-Frame-Options or using JS frame busting technique and got it, the team uses JS frame busting technique to patch this vulnerability so let’s see how i bypassed this patch by Exploiting HTML5 Security Features Sandboxed Iframes

What is Sandboxed iframes?

The sandbox attribute enables an extra set of restrictions for the content in the iframe. When the sandbox attribute is present, and it will:

  • Treat the content as being from a unique origin
  • Block form submission
  • block script execution
  • Disable APIs
  • Prevent links from targeting other browsing contexts
  • Prevent content from using plugins through <embed>, <object>, <applet>, or other
  • Prevent the content to navigate its top-level browsing context
  • Block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

Attack Scenario:

Iframing the Settings page or any other sensitive page with a sandboxed iframe to prevent redirecting to top window and allow scripts to be running, fooling the users to do unwanted actions.

the final bypassing PoC:

sandbox="allow-modals allow-scripts allow-forms allow-popups allow-same-origin"
src="" width=600 height=400>
<p>Bypassed By @AmeerAssadi.</p>


Binary Security Team rewarded me with a bounty and added my name on there Hall of Fame page, Thanks Binary!


  • Monday, 23rd May 2016 — Issue Reported
  • Monday, 23rd May 2016 — Issue Confirmed & Triaged
  • Wednesday, 25th May 2016 — Issue Resolved and team asks me to verify the fix
  • Wednesday, 25th May 2016 — Patch bypass sent
  • Wednesday, 8th June 2016 — Issue Patched

Written by

Application Security Engineer,

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store