[Pen-Test] Medium Finding 25114 - ClickJacking Attack -- Due 7/10

[kenmayo]

Please resolve this finding NLT 7/10/24

• Finding: ClickJacking Attack X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• Status Open
• Risk Medium
• Tools Used nessus,nmap
• Impact: Internal 10.247.32.50 10.247.32.4 (tcp/80,443) Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY.
• Recommendations: Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. Also See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

[hgbarreto]

Initial Configuration checks on likely sources of this vulnerability indicate proper configuration for most EC2 instances. The XFRAME headers are being explicitly added with the SAMEORIGIN option or the DENY option. In some cases, HTTP to HTTPS redirects cover the vulnerability regardless for the port 80 since it forces the use of HTTPS, making the call respect the XFRAME headers. Will verify the legacy proxies just in case. Will also verify the cluster web services as well.

[hgbarreto]

Team has decided to request a new scan due to the potential of having this vulnerability addressed already. The infrastructure has changed drastically since this scan was performed.

[hgbarreto]

Scan that was requested will take a while.

[hgbarreto]

Closing