I assume you mean people adding JavaScript to hijack your site/checkout?

Yes we have a number of native tools to help with that. I'll have Nick or Brennan chime in with more details.

The single best protection though is strong passwords, changed every 90 days and 2FA on all Admin accounts. That will stop most attacks before they can happen.

I got one of those emails, which I always ignore and delete, but this one got me thinking a bit.
Wondered if it would be possible to trick shoppers to think they are on the legit site but are not.
Hence the question since I really don't know much about any it.

Email copied below.

VULNERABILITY REPORT : CLICK JACKING

Hi team,

I am a security researcher and freelance ethical hacker and i have discovered the vulnerability in your website

Bug type : UI Redressing
Impact : Phishing

Description :
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

<html>
<head><title>Clickjack test page</title></head>
<body>

<h1> Clickjacking in your website </h1>
<iframe width="1000" height="500" src="https://lockitt.com/"/>

</body>

</html>


Impact:
The site can also be opened in an iframe after the user has logged it making it hard for the user to avoid phishing.A user can be tricked into downloading amalicious file that an attacker wants a user to download, allowing an attacker to gain access to the users device .


Remediation :
Add an iframe destroyer in the header of the page


Note :
I am also attaching a screen shot as proof of concept.

I hope to receive reward for the responsible disclosure of the vulnerability

waiting for your response


Best Regards
White HaT

You can set a page header to make your iframes more secure.

From the HTTP headers tab > Add New > Header: FRAME-SRC , value: SELF .

That will prevent scripts from injecting content into your site through an iframe. You can also add the domains of sites that are allowed to inject content in the value tag.

To prevent other sites from injecting your site into their iframe then use:

Add New > Header: X-FRAME-OPTIONS , value: SAMEORIGIN .

You need to have the headers module installed and assigned to the page.

You should monitor the page for any unintended consequences.