Developer Portal - Clickjacking vulnerability #2275
Comments
|
Have you configured CSP on your self-hosted hosting solution? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug description
For Developer Portal, after Pen test by Security team they identified a vulnerability "The web application is vulnerable to clickjacking". With the usage of Burp Clickbandit feature the team managed to overlay an iframe or a "clickable"
area on top of the website. PFB for reference.
As we could not override the Iframe tag, kindly support on the right approach to fix the bug.
Expected behaviour
Below are the remediations recommended by Security team:
There are three main mechanisms that can be used to defend against these attacks:
• Preventing the browser from loading the page in frame using the X-Frame-Options or Content Security
Policy (frame-ancestors) HTTP headers.
• Preventing session cookies from being included when the page is loaded in a frame using the Same Site
cookie attribute.
• Implementing JavaScript code in the page to attempt to prevent it being loaded in a frame (known as a
"frame-buster").
Note that these mechanisms are all independent of each other, and where possible more than one of them should.
be implemented in order to provide defense in depth.
Is your portal managed or self-hosted?
Self-hosted
The text was updated successfully, but these errors were encountered: