[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: httpd x-frame-option HTTP respnse header
From: Steffen Hamann <steffen.hamann () keysight ! com>
Date: 2023-07-11 7:40:16
Message-ID: SJ0PR17MB5640D479246C1B51B1CAE363E131A () SJ0PR17MB5640 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]
Dear BusyBox maintainers,
I hope this information can be useful for you.
Our Nessus scan recommends adding some additional x-frame-option to your httpd.
Is there something already available?
(sorry, but I can't find anything where I can modify the HTTP response header).
This is just an idea:
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1133,6 +1133,7 @@ static void send_headers(unsigned responseNum)
if (responseNum != HTTP_OK || found_mime_type) {
len += sprintf(iobuf + len,
"Content-type: %s\r\n",
+ "x-frame-options: SAMEORIGIN\r\n",
/* if it's error message, then it's HTML */
(responseNum != HTTP_OK ? "text/html" : found_mime_type)
);
Description:
The remote web server does not set an X-Frame-Options response header or a \
Content-Security-Policy 'frame-ancestors' response header in all content responses. \
This could potentially expose the site to a clickjacking or UI redress attack, in \
which an attacker can trick a user into clicking an area of the vulnerable page that \
is different than what the user perceives the page to be. This can result in a user \
performing fraudulent or malicious transactions. X-Frame-Options has been proposed by \
Microsoft as a way to mitigate clickjacking attacks and is currently supported by all \
major browser vendors. Content-Security-Policy (CSP) has been proposed by the W3C Web \
Application Security Working Group, with increasing support among all major browser \
vendors, as a way to mitigate clickjacking and other attacks. The 'frame-ancestors' \
policy directive restricts which sources can embed the protected resource. Note that \
while the X-Frame-Options and Content-Security-Policy response headers are not the \
only mitigations for clickjacking, they are currently the most reliable methods that \
can be detected through automation. Therefore, this plugin may produce false \
positives if other mitigation strategies (e.g., frame-busting JavaScript) are \
deployed or if the page does not perform any security-sensitive transactions. \
Remediation:
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' \
directive) HTTP header with the page's response. This prevents the page's content \
from being rendered by another site when using the frame or iframe HTML tags. \
Reference:
CWE:693
Best regards,
Steffen Hamann
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);" class="elementToProof ContentPasted1"> <p \
class="ContentPasted0"></p> Dear BusyBox maintainers,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);" class="elementToProof ContentPasted1"> <br>
<div class="ContentPasted1">I hope this information can be useful for you.</div>
<div><br>
</div>
<div>Our Nessus scan recommends adding some additional x-frame-option to your \
httpd.<br> </div>
<div>Is there something already available? </div>
<div>(sorry, but I can't find anything where I can modify the HTTP response \
header).</div> <div><br>
</div>
<div class="ContentPasted1">This is just an idea:</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">--- a/networking/httpd.c</div>
<div>+++ b/networking/httpd.c<br>
</div>
<div>@@ -1133,6 +1133,7 @@ static void send_headers(unsigned responseNum)<br>
</div>
<div>if (responseNum != HTTP_OK || found_mime_type) {<br>
</div>
<div>len += sprintf(iobuf + len,<br>
</div>
<div>"Content-type: %s\r\n",<br>
</div>
<div>+ "x-frame-options: SAMEORIGIN\r\n",<br>
</div>
<div>/* if it's error message, then it's HTML */<br>
</div>
<div>(responseNum != HTTP_OK ? "text/html" : found_mime_type)<br>
</div>
<div>);<br>
</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">Description:</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">The remote web server does not set an X-Frame-Options \
response header or a Content-Security-Policy 'frame-ancestors' response header in all \
content responses. This could potentially expose the site to a clickjacking or UI \
redress attack, in which an attacker can trick a user into clicking an area of the \
vulnerable page that is different than what the user perceives the page to be. This \
can result in a user performing fraudulent or malicious transactions.</div> <div \
class="ContentPasted1">X-Frame-Options has been proposed by Microsoft as a way to \
mitigate clickjacking attacks and is currently supported by all major browser \
vendors.</div> <div class="ContentPasted1">Content-Security-Policy (CSP) has been \
proposed by the W3C Web Application Security Working Group, with increasing support \
among all major browser vendors, as a way to mitigate clickjacking and other attacks. \
The 'frame-ancestors' policy directive restricts which sources can embed the \
protected resource.</div> <div class="ContentPasted1">Note that while the \
X-Frame-Options and Content-Security-Policy response headers are not the only \
mitigations for clickjacking, they are currently the most reliable methods that can \
be detected through automation. Therefore, this plugin may produce false positives \
if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if \
the page does not perform any security-sensitive transactions.</div> <div \
class="ContentPasted1">Remediation:</div> <div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">Return the X-Frame-Options or Content-Security-Policy \
(with the 'frame-ancestors' directive) HTTP header with the page's response.</div> \
<div class="ContentPasted1">This prevents the page's content from being rendered by \
another site when using the frame or iframe HTML tags.</div> <div \
class="ContentPasted1">Reference:</div> <div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">CWE:693</div>
<div class="ContentPasted1"><br>
</div>
<div class="ContentPasted1">Best regards,</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">Steffen Hamann</div>
<div><br class="ContentPasted1">
</div>
<br>
</div>
</body>
</html>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
--===============7377748746960005123==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic