CODEWITHSUNDEEP
javascriptsecuritycheckmarxangular13clickjacking
phoenix
phoenix

Reputation: 21

Potential clickjacking on legacy browsers issue while running checkmarx on angular 13 project

Potential clickjacking issue is reported while running checkmarx report on angular 13 project. The issue is reported for app.component.html even if I try fixing this issue using frame busting scripts in index.html file. Any suggestions to fix this issue?

  1. Approach: Framebusting script added to index.html
<style> html {display : none; } </style>
<script>
    if ( self === top )

{         document.documentElement.style.display = 'block';     }
    else

{         top.location = encodeURI(self.location);     }
</script>

 Result: One more high priority issue was raised: Client DOM open redirect
  1. Approach: adding frame ancestors to meta tag along with CSP tags inside index.html

{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}

{{}} Result: Issue persists

  1. Approach: setting x-frame options for authentication service and auth-http interceptor

Inside authentication service:

const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }

Result: Issue persists

  1. Approach: Setting X-frame options inside head meta tag as a separate tag as well as along with CSP tags
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">

Result: Issue persists

5)Approach: : A fix to frame busting script used in earlier approach as per the below stackoverflow recommendation:

Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability

top.location = encodeURI(self.location);

Result: Issue persists

6)Approach: Configuring Nginx

To configure Nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN always;

Result: Issue persists

  1. Approach: Installing npm package X-frame-options

Not enough usage explanation for angular

Result: Unable to verify

Upvotes: 2

Views: 5763

Answers (2)

Priyanga Manivelan
Priyanga Manivelan

Reputation: 462

//if WebApp is under a Clickjacking attack

if(window. self === window.top) { //main File
  
} else{
<div>
    If you see this page,is under Clickjacking security attack.
  </div>
}

Also tested the above code with the below HTML in WebPage (test.html)

<html>
  <head>
    <title>Clickjack vulnerability test page</title>
  </head>
  <body>
    <iframe src="http://localhost:3000/" width="900" height="300"></iframe>
  </body>
</html>

Upvotes: 1

DAIRAV
DAIRAV

Reputation: 731

Yes it is working now.

     <script>  
         if(window. self === window.top) 
             { 
             }  
         else{ 
               var emptyDiv = document.createElement('div'); 
               emptyDiv.innerHTML = ""; 
               document.body.append(emptyDiv); 
              } 
     </script>

Upvotes: 0

Related Questions