search

Azure / api-management-developer-portal

Developer portal provided by the Azure API Management service.
MIT License
478 stars 306 forks source link

Developer Portal - Clickjacking vulnerability #2275

Open Suresh-SShanmugam opened 10 months ago

Suresh-SShanmugam commented 10 months ago

Bug description

For Developer Portal, after Pen test by Security team they identified a vulnerability "The web application is vulnerable to clickjacking". With the usage of Burp Clickbandit feature the team managed to overlay an iframe or a "clickable" area on top of the website. PFB for reference.

image

As we could not override the Iframe tag, kindly support on the right approach to fix the bug.

Expected behaviour

Below are the remediations recommended by Security team:

There are three main mechanisms that can be used to defend against these attacks:

• Preventing the browser from loading the page in frame using the X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers. • Preventing session cookies from being included when the page is loaded in a frame using the Same Site cookie attribute. • Implementing JavaScript code in the page to attempt to prevent it being loaded in a frame (known as a "frame-buster").

Note that these mechanisms are all independent of each other, and where possible more than one of them should. be implemented in order to provide defense in depth.

Is your portal managed or self-hosted?

Self-hosted

fpdutra commented 6 months ago

Have you configured CSP on your self-hosted hosting solution?