客户端跨框架脚本攻击解决方案

Question

We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack.

This is detacted at first line of the JSP page :

<!DOCTYPE html>

Can you please help me understand this attack and what should be done to eliminate this?

Answer 1

The Client Cross Site Scripting Attack query finds if the page protects itself against being embedded in an IFrame. It searches for conditions such as:

 if (top != self)
 if (top.location != location)
 if (top.frames.length != 0)

and so on.

This specific file, I believe, has no such conditions, so it MOST LIKELY does not protect itself, and this is why the query has found and marked it. Since we are looking for a missing line here, the result just shows you the file, and cannot show you where the problem is.

Hope it helps,

Adar from Checkmarx .

Answer 2

For more depth to this issue, and to actually fix the Cross-Frame Scripting problem check out https://css-tricks.com/snippets/javascript/break-out-of-iframe/

Basically throw this into your parent-most layout file (_Layout.cshtml in C# MVC)

        (function (window) { // Prevent Cross-Frame Scripting attacks
            if (window.location !== window.top.location)
                window.top.location = window.location;
        })(this);

Answer 3

Just add the following piece of code in your HTML file.

<style id='antiClickjack'>
    body{display:none !important;}
</style>

<script type='text/javascript'>
    if (self === top) {
    var antiClickjack = document.getElementById('antiClickjack');
    antiClickjack.parentNode.removeChild(antiClickjack);
    } else {
    top.location = self.location;
    }
</script>