Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5732

Disabling content security policy frame-ancestors directive is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure disabling content security policy frame-ancestors directive is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Linear
    • Linear Argument Description:
      60min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-451
    • OWASP:
      A6

      Description

      Clickjacking attacks occur when an attacker try to trick an user to click on certain buttons/links of a legit website. This attack can take place with malicious HTML frames well hidden in an attacker website.

      For instance, suppose a safe and authentic page of a social network (https://socialnetworkexample.com/make_myprofil_public) which allows an user to change the visibility of his profile by clicking on a button. This is a critical feature with high privacy concerns. Users are generally well informed on the social network of the consequences of this action. An attacker can trick users, without their consent, to do this action with the below embedded code added on a malicious website:

      <html>
      <b>Click on the button below to win 5000$</b>
      <br>
      <iframe src="https://socialnetworkexample.com/makemyprofilpublic" width="200" height="200"></iframe>
      </html>
      

      Playing with the size of the iframe it's sometimes possible to display only the critical parts of a page, in this case the button of the make_myprofil_public page.

      Ask Yourself Whether

      • Critical actions of the application are prone to clickjacking attacks because a simple click on a link or a button can trigger them.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      • Implement content security policy frame-ancestors directive which is supported by all modern browsers and will specify the origins of frame allowed to be loaded by the browser (this directive deprecates X-Frame-Options).

      See

        Attachments

        1.
        JavaScript RSPEC-5733 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eric.therond Eric Therond
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: