386 – Cross-Site Leak - Frame Counting

Description

It is possible to determine from an external site whether or not a user is logged into the platform by counting the frames loaded when opening the page. The user must have logged into a site with a malicious frame counting script.

Impact

Determine if a specific user has access to the platform and thus collect targets for spearphishing attacks.

Recommendation

Load the same amount of frames in all application load cases.

Threat

Attacker on the Internet sending malicious links.

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 134 - Store passwords with salt
• 135 - Passwords with random salt
• 185 - Encrypt sensitive information

Last updated

2024/02/20