< Alle Emner
Print

Web Application Potentially Vulnerable to Clickjacking (CVE-2021-37788)

**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.

Vulnerability Details 

Clickjacking is a vulnerability where an attacker tricks a user into interacting with hidden or disguised elements on a web page, leading to unintended actions. The attacker typically uses an invisible iframe to load the legitimate target web page and then overlays malicious content on top. As a result, users may unknowingly perform actions like purchasing items, sharing personal information, or entering credentials. This can lead to sensitive information being stolen or other malicious actions being performed on behalf of the user.

Severity Rating

Medium

How to Verify if a Device is Vulnerable

Use Nessus plugin ID 85582 to scan the device for this vulnerability.

Alternatively you can verify this vulnerability manually using the following method:

Using curl, you can analyze the content headers:

curl -I http://your-web-site.com

If the vulnerability is not present you should be getting:

X-Frame-Options: DENY

Content-Security-Policy: frame-ancestors ‘none’;

How to Fix

Add this header to your web server configuration to prevent framing:


Header always set X-Frame-Options “DENY”
Header always set Content-Security-Policy “frame-ancestors ‘none’;”

It is also possible to mitigate this vulnerability by adding a specific script to the website inside the HTML, however the best-practice is to fix the vulnerability in the server itself. However if that is not possible for some reason, this script will protect from clickjacking on the specific webpage – but it will only protect from clickjacking on this specific webpage and not the whole website:

<style id=”antiClickjack”>body { display: none !important; }</style>

<script>

  if (self === top) {

    var antiClickjack = document.getElementById(“antiClickjack”);

    antiClickjack.parentNode.removeChild(antiClickjack);

  } else {

    top.location = self.location;

  }

</script>

Rollback

To perform a rollback remove the HTTP headers

Open your configuration file and remove or comment out the X-Frame-Options directive.

# Header always set X-Frame-Options “DENY”

Next open your configuration file and remove or comment out the Content-Security-Policy

# Header always set Content-Security-Policy “frame-ancestors ‘none’;”


If you used the HTML script to protect specific webpages, simply remove the script from the pages.

How to Verify the Fix

  • Rescan the device with Nessus plugin ID 85582 and check for the vulnerability.
  • Analyze the HTTP headers using the following command:
    curl -I http://your-website.com

You should see the following headers in the response:
X-Frame-Options: DENY

Content-Security-Policy: frame-ancestors ‘none’;

Links (for additional resources and references)

https://www.tenable.com/plugins/nessus/85582
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

Tags:
Indholdsfortegnelse