[Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers
Tristan Cacqueray
tdecacqu at redhat.com
Wed Jun 24 14:25:51 UTC 2015
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
Vulnerability Details
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page.
Impact
An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Recommendations
Set the HTTP X-Frame-Options header to one of the following:
DENY - deny any frames
SAMEORIGIN - frames are only allowed from the same origin
ALLOW-FROM - a list of allowable origin's
Although many pages within Horizon 1.1 leverage the X-Frame-Options
header with the recommended SAMEORIGIN policy, some (still popular)
older browsers don’t support this setting. Namely, browsers older than
IE 8 and Firefox 3.6.9 don’t recognize the header and are thus
vulnerable to an attack known as ClickJacking unless an additional
mitigating control is present.
To support legacy browsers, a suggested best practice is to add a frame
breaking script to the base/global template file. Based off of
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-
for-now_Legacy_Browser_Frame_Breaking_Script
"""
One way to defend against clickjacking is to include a "frame-breaker"
script in each page that should not be framed. The following methodology
will prevent a webpage from being framed even in legacy browsers, that
do not support the X-Frame-Options-Header.
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
This way, everything can be in the document HEAD and you only need one
method/taglib in your API.
"""
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461154
Title:
Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy
browsers
Status in OpenStack Dashboard (Horizon):
In Progress
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Vulnerability Details
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page.
Impact
An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Recommendations
Set the HTTP X-Frame-Options header to one of the following:
DENY - deny any frames
SAMEORIGIN - frames are only allowed from the same origin
ALLOW-FROM - a list of allowable origin's
Although many pages within Horizon 1.1 leverage the X-Frame-Options
header with the recommended SAMEORIGIN policy, some (still popular)
older browsers don’t support this setting. Namely, browsers older
than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus
vulnerable to an attack known as ClickJacking unless an additional
mitigating control is present.
To support legacy browsers, a suggested best practice is to add a
frame breaking script to the base/global template file. Based off of
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-
for-now_Legacy_Browser_Frame_Breaking_Script
"""
One way to defend against clickjacking is to include a "frame-breaker"
script in each page that should not be framed. The following
methodology will prevent a webpage from being framed even in legacy
browsers, that do not support the X-Frame-Options-Header.
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
This way, everything can be in the document HEAD and you only need one
method/taglib in your API.
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions
More information about the Openstack-security
mailing list