堆栈内存溢出
  简体   繁体   English

实施 Checkmarx 建议的点击劫持修复引入了高严重性客户端 DOM XSS 漏洞

[英]Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability

 原文  2021-05-12 17:18:11       javascript/ xss/ checkmarx/ secure-coding/ clickjacking

问题描述

My organization has scanned our code using Checkmarx and the low severity issue Potential Clickjacking on Legacy Browsers was detected due to a JavaScript function firing on an HTML image click event.我的组织已经使用 Checkmarx 扫描了我们的代码,并且由于 JavaScript function在 Z4C4AD5FCA2E7A3F74DBB1CED00381AA44 图像点击事件上触发,因此检测到了低严重性问题。

We have implemented the following suggested fixes:我们已经实施了以下建议的修复:

  • Define and implement a Content Security Policy (CSP) on the server side, including a frame-ancestors directive (frame-ancestors 'self')在服务器端定义和实施内容安全策略 (CSP),包括 frame-ancestors 指令(frame-ancestors 'self')

  • "X-Frame-Options" header set to "SAMEORIGIN" “X-Frame-Options”header 设置为“SAMEORIGIN”

  • Legacy browser support is needed so added a frame-busting script similar to the following example in the Checkmarx documentation:需要旧版浏览器支持,因此在 Checkmarx 文档中添加了类似于以下示例的帧破坏脚本:

<html>
    <head>
        <style> html {display : none; } </style>
        <script>
            if ( self === top ) {
                document.documentElement.style.display = 'block';
            }
            else {
                top.location = self.location;
            }
        </script>
    </head>
    <body>
        <button onclick="clicked();">Click here if you love ducks</button>
    </body>
</html>

Now Checkmarx flags the file for the high severity issue Client DOM XSS due to the line:现在 Checkmarx 将文件标记为高严重性问题Client DOM XSS由于以下行:

top.location = self.location;

that was recommended to be added for legacy click jack protection.建议添加用于传统点击插孔保护。

So if we implement the Checkmarx suggested fix on a low severity issue (Potential Clickjacking on Legacy Browsers), we introduce a high severity issue (Client DOM XSS).因此,如果我们针对低严重性问题(旧版浏览器上的潜在点击劫持)实施 Checkmarx 建议的修复,我们将引入高严重性问题(客户端 DOM XSS)。

What's the proper course of action here?这里的正确做法是什么?

1 个解决方案

解决方案1
 1 已采纳  2021-05-14 20:01:46

To reduce the risk of a DOM-based cross-site scripting vulnerability in your web application, URL encode the self.location为了降低 web 应用程序中基于 DOM 的跨站点脚本漏洞的风险,URL 对 self.location 进行编码

top.location = encodeURI(self.location);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何防止javascript中的客户端DOM XSS漏洞? - How to prevent Client DOM XSS vulnerability in javascript? Checkmarx 扫描报告显示严重性为“高” - Checkmarx Scan Report shows severity as High 如何修复 NPM 高危漏洞? (污染) - How to fix NPM high severity vulnerabilities? (Pollution) XSS漏洞 - XSS vulnerability XSS漏洞 - XSS Vulnerability 在客户端使用不受信任的数据分配 JavaScript 变量是否是 XSS 漏洞? - Is it an XSS vulnerability to assign JavaScript variables with untrusted data on the client side? 客户端 web 应用程序中是否可能存在 XSS 漏洞? - Is it possible to have XSS vulnerability in a client side web application? HTML字段XSS漏洞 - HTML fields XSS vulnerability XSS漏洞定位器 - XSS vulnerability locator 明显的jsonp xss漏洞 - Apparent jsonp xss vulnerability
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM