Skip to main content

Security Scan Vulnerability - "Cross Site Scripting / Cross Frame Scripting"

Issue

Security Scan Reports reveal "Cross-Site/Cross Frame Request Forgery" vulnerability.

Cause

The web application doesn't or can't sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution. This attack technique takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack.

Resolution

Administrators can mitigate this by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.

The X-frame Options headercan be used to control whether a page can be placed in an IFRAME. Because the attack-technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

To add an X-Frame Options header to all responses for your sites, please follow one of the two options below

Via Command Line

On the SecureAuth Appliance, open the CMD console as Administrator and Execute the following command:

  • C:\Windows\System32\inetsrv\appcmd set config /section:httpProtocol /+customHeaders.[name='X-Frame-Options',value='SAMEORIGIN']

Manually Apply the Changes in IIS

  1. Open Internet Information Services (IIS) Manager.

  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.

  3. Double-click the HTTP Response Headers icon in the feature list in the middle.

  4. In the Actions pane on the right side, click Add.

  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.

  6. Click OK to save your changes.

Note

If you have other sites that need this configuration, repeat steps 2 through 6 for those sites also.