Hello Dear Sir, Good Morning
I hope you are fine and in a good health you and your family
I hope that this new year 2022 will
be all success, love and respect among your family, I wish you with all
my heart good luck and a beautiful life.
I hope this message finds you well. I’m reaching out today because i found two bugs in your site :
odoo.com
i'm hatim chabik student of physiotherapy and security researcher
i looking for bugs in my spare time to gain some money for my study
and i am here writing this email to inform you that i found a bug on your website
*********************************************************************************************************
Bug :
Open Redirect
Bug : lack of security headers
Bug : Frameable response (potential Clickjacking) ***********************************************************************************************************
Bug :
Open Redirect
***************************************************************************************************
bug : lack of security headers i notice lack of lots of security headers
1:
Feature-Policy is not set: Feature Policy is a header that allows a
site to control which features and APIs can be used in the browser
https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy2:
The Referrer-Policy is not set: Referrer Policy is a new header that
allows a site to control how much information the browser includes when
navigating to an other website and should be set by all site.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy3:
X-XSS-Protection" header is not set: X-XSS-Protection sets the
configuration for the cross-site scripting filter built into most
browsers. Recommended value "X-XSS-Protection: 1; mode=block".
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html4:
X-Frame-Options header missing: X-Frame-Options tells the browser
whether you want to allow your site to be used in i-frames or not. By
preventing a browser from i-framing your site you can defend against
attacks like clickjacking. Recommended value "X-Frame-Options:
SAMEORIGIN"
https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options5:
The Content-Security-Policy is not set: Content Security Policy is an
effective measure to protect your site from XSS attacks. By
whitelisting sources of approved content, you can prevent the browser
from loading malicious assets
https://en.wikipedia.org/wiki/Content_Security_Policy6:
X-Content-Type-Options header not set: X-Content-Type-Options stops a
browser from trying to MIME-sniff the content type and forces it to
stick with the declared content-type. The only valid value for this
header is "X-Content-Type-Options: nosniff"
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields *************************************************************************************************************************************************
Bug : Frameable response (potential Clickjacking) Host:
https://odoo.com
If
a page fails to set an appropriate X-Frame-Options or
Content-Security-Policy HTTP header, it might be possible for a page
controlled by an attacker to load it within an iframe. This may enable a
clickjacking attack, in which the attacker's page overlays the target
application's interface with a different interface provided by the
attacker. By inducing victim users to perform actions such as mouse
clicks and keystrokes, the attacker can cause them to unwittingly carry
out actions within the application that is being targeted. This
technique allows the attacker to circumvent defenses against cross-site
request forgery, and may result in unauthorized actions.
Note
that some applications attempt to prevent these attacks from within the
HTML page itself, using "framebusting" code. However, this type of
defense is normally ineffective and can usually be circumvented by a
skilled attacker.
You should determine whether any functions
accessible within frameable pages can be used by application users to
perform any sensitive actions within the application.
Issue remediation
To
effectively prevent framing attacks, the application should return a
response header with the name X-Frame-Options and the value DENY to
prevent framing altogether, or the value SAMEORIGIN to allow framing
only by pages on the same origin as the response itself. Note that the
SAMEORIGIN header can be partially bypassed if the application itself
can be made to frame untrusted websites.
________________________________________________________________________________________
I do this work to alert you of a bug in your website and fix bugs and make your site safer
I
have experience in this field for more than 6 years, I have a lot of
certificates in this field and my name is included in many sites in the
hall of fame
It is possible if I wanted to work with you in finding many serious bug that negatively affect your site
And I am very happy to make your site safer,
i will be very happy if you accept a request to work together to make your site secure
Really
desperately need a reward in these difficult circumstances that the
world is going through, to help myself with study requirements, this is
the only job I work and earn money and this money I help myself in my study and my family .
I hope you can see my message and respond to me please
I need your response
only help me and appreciate me for this work in your site to make your site safer
may i request you to if it is possible ? sir, I'll be very grateful to you .
i would be very happy if you reward me
if possible that my account paypal
PayPal : [email protected]<
Please , if you read my message please tell me, so that i know you
got it, please let me know if you’re interested in this and as i am a
security researcher, possible if you want to work together and discover
more very important bugs and dangerous for your site , to make your
site more secure , i look forward to hearing from you >
Sincerely, best regards
Hatim chabik
security researcher
my account in twitter / https://twitter.com/H_chabik