ctrl+c & ctrl+v to Steal SESSIONID

Severity : Medium

Complexity: Medium

Weakness: Missing Click-jacking Header


  • During directory brute-forcing for 2–3 days , I Came Across Following Endpoint .

https://site.com/ping/ loggedIn

  • Response :

{
“type”: “Ping”,
“loggedIn”: true,
“username”: “arbazkiraak007”,
“sessionId”: “54CA86A999CB2DE0CD87F1EB37289261-n3”,
“instanceId”: “i-3c2662af”
}

  • Which Cointain’s the Cookie Header Value i.e SESSIONID in Response.
  • Their Application have Good Protection Against Click-jacking Vector’s on each and Every Endpoint But They missed Adding X-FRAME-OPTION Header to this endpoint .
  • Created a Simple Demonstration of Stealing SESSIONID By Copy paste Game!