chihyu
Visitor.
1864 views

Cross-Frame Scripting Problem

I'm use WebInspect, and it detect my website has Cross-Frame Scripting Problem (Cross-Frame Scripting ( 11293 )).

But even my response header has X-Frame-Options & Content-Security-Policy: frame-ancestors setting,

WebInspect still detect same problem.

Is anyway to resolve it?


Request

GET /frontend/category/query?root=1&cate=1001 HTTP/1.1
Referer: http://10.10.10.131:8080/frontend/category/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: 10.10.10.131:8080
Connection: Keep-Alive
X-WIPP: AscVersion=18.20.178.0
X-Scan-Memo: Category="Crawl"; SID="F325152F4693DCE4BFB615E8101495FF";
PSID="C6A44427AF0D030EAC2F121B4FD23580"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="339";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: RequestorThreadIndex="4"; sid="2178"; smi="0"; sc="1"; ID="90f40b46-9a6a-4a40-96fd1669eed33a0d";
X-Request-Memo: ID="d0458820-e06e-4fa0-b9f5-9b78a884ea51"; sc="2"; ThreadId="92";
Cookie:
CustomCookie=WebInspect150609ZXE9E1EE8D9ED144E4B1DB27C898026E06YF8E0;JSESSIONID=74458EEC6AA3013D93D9
C929E2D351B7

Response:

HTTP/1.1 200
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
ETag: "041714bbdd50a46b82a765c48ea100782"
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data:;frameancestors 'self';
Content-Type: text/html;charset=UTF-8
Content-Language: zh-TW
Content-Length: 11544
Date: Thu, 09 May 2019 08:00:42 GMT

Can any one help on this issue?

 

 

0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Cross-Frame Scripting Problem

Reviewing your HTTP Request/Response pair and the Check 11293 description, the key item I found was that your Response had "frameancestor" and the remediation details mentioned "frame-ancestor" (with a hyphen).  I can not tell how relevant that difference in name may be for this finding.  You may want to present this information to the Fortify Support team (https://softwaresupport.softwaregrp.com) so they can have our Research Team review it directly.

 

 

Request


GET /frontend/category/query?root=1&cate=1001 HTTP/1.1
Referer: http://10.10.10.131:8080/frontend/category/
Accept: */*
Pragma: no-cache Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: 10.10.10.131:8080
Connection: Keep-Alive
X-WIPP: AscVersion=18.20.178.0
X-Scan-Memo: Category="Crawl"; SID="F325152F4693DCE4BFB615E8101495FF"; PSID="C6A44427AF0D030EAC2F121B4FD23580"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative"; LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="339"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: RequestorThreadIndex="4"; sid="2178"; smi="0"; sc="1"; ID="90f40b46-9a6a-4a40-96fd1669eed33a0d";
X-Request-Memo: ID="d0458820-e06e-4fa0-b9f5-9b78a884ea51"; sc="2"; ThreadId="92";
Cookie: CustomCookie=WebInspect150609ZXE9E1EE8D9ED144E4B1DB27C898026E06YF8E0;JSESSIONID=74458EEC6AA3013D93D9 C929E2D351B7

 

Response:

HTTP/1.1 200
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block ETag: "041714bbdd50a46b82a765c48ea100782"
X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data:;frameancestors 'self';
Content-Type: text/html;charset=UTF-8
Content-Language: zh-TW
Content-Length: 11544
Date: Thu, 09 May 2019 08:00:42 GMT

 

 

Summary: Missing Cross-Frame Scripting Protection


Vulnerability ID: 11293
CWE ID: 352
Kingdom: Security Features

 

A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.

Clickjacking
The goal of a Clickjacking attack is to deceive the victim (user) into interacting with UI elements of the attacker’s choice on the target web site without their knowledge and then executing privileged functionality on the victim’s behalf. To achieve this goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page so they overlap with those on the page targeted in the attack, the attacker can ensure that the victim must interact with the UI elements on the target page not visible to the victim.

WebInspect has detected a page which potentially handles sensitive information using an HTML form with a password input field and is missing XFS protection.

 

Execution:

How to verify or exploit the issue.


Create a test page containing an HTML iframe tag whose src attribute is set to ~FullURL~. Successful framing of the target page indicates that the application is susceptibile to XFS.

Note that WebInspect will report only one instance of this check across each host within the scope of the scan. The other visible pages on the site may, however, be vulnerable to XFS as well and therefore should be protected against it with an appropriate fix.


Implication:

How this vulnerability affects you.


A Cross-Frame Scripting weakness could allow an attacker to embed the vulnerable application inside an iframe. Exploitation of this weakness could result in:1.Hijacking of user events such as keystrokes
2.Theft of sensitive information
3.Execution of privileged functionality through combination with Cross-Site Request Forgery attacks


Fix:

How to remediate the issue.


The Content Security Policy (CSP) frame-ancestors directive obsoletes the X-Frame-Options header. Both provide for a policy-based mitigation technique against cross-frame scripting vulnerabilities. The difference is that while the X-Frame-Options technique only checks against the top-level document’s location, the CSP frame-ancestors header checks for conformity from all ancestors.

If both CSP frame-ancestors and X-Frame-Options headers are present and supported, the CSP directive will prevail. WebInspect recommends using both CSP frame-ancestors and X-Frame-Options headers as CSP is not supported by Internet Explorer and many older versions of other browsers.

In addition, developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older browsers that do not support the X-Frame-Options header to also be protected from Clickjacking attacks.

X-Frame-Options
Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an iframe.Developers must set the X-Frame-Options header to one of the following permitted values:•DENY
Deny all attempts to frame the page
•SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
•ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page inside an iframe

Content-Security-Policy: frame-ancestors
Developers can use the CSP header with the frame-ancestors directive, which replaces the X-Frame-Options header, to instruct the browser about appropriate actions to perform if their site is included inside an iframe. Developers can set the frame-ancestors attribute to one of the following permitted values:•‘none’
Equivalent to “DENY” - deny all attempts to frame the page
•‘self’
Equivalent to “SAMEORIGIN” - the page can be framed by another page only if it belongs to the same origin as the page being framed
• <host-source>
Equivalent to “ALLOW-FROM” - developers can specify a list of trusted origins which maybe host name or IP address or URL scheme. Only pages on this list of trusted origin are permitted to load this page inside an iframe
•<scheme-source>
Developers can also specify a schema such as http: or https: that can frame the page.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
chihyu
Visitor.

Re: Cross-Frame Scripting Problem

Hi HansEnders,

Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data:;frame-ancestors 'self';

 

I try all day to rescan and find when my page have a html form block, Webinspect will detect that page has Cross-Frame Scripting vulnerability. Even It has CSP & X-Frame-Options header. So I think that was obvious false postives.

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Cross-Frame Scripting Problem

In that case PLEASE open a Support Case (https://softwaresupport.softwaregrp.com) and submit this information for review by our Research Team.  They would be VERY interested in any failure for the Check, and would be in the best position to fix it in everyone's attack database with a future SmartUpdate.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.