Question 97909 in Nginx Question posted in
The official documentation can be found here.

Potential clickjacking on legacy browsers issue while running checkmarx on angular 13 project – Nginx

Potential clickjacking issue is reported while running checkmarx report on angular 13 project.
The issue is reported for app.component.html even if I try fixing this issue using frame busting scripts in index.html file.
Any suggestions to fix this issue?

  1. Approach: Framebusting script added to index.html
<style> html {display : none; } </style>
<script>
    if ( self === top )

{         document.documentElement.style.display = 'block';     }
    else

{         top.location = encodeURI(self.location);     }
</script>

 Result: One more high priority issue was raised: Client DOM open redirect
  1. Approach: adding frame ancestors to meta tag along with CSP tags inside index.html

{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}

{{}} Result: Issue persists

  1. Approach: setting x-frame options for authentication service and auth-http interceptor

Inside authentication service:

const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }

Result: Issue persists

  1. Approach: Setting X-frame options inside head meta tag as a separate tag as well as along with CSP tags
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">

Result: Issue persists

5)Approach: : A fix to frame busting script used in earlier approach as per the below stackoverflow recommendation:

Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability

top.location = encodeURI(self.location);

Result: Issue persists

6)Approach: Configuring Nginx

To configure Nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN always;

Result: Issue persists

  1. Approach: Installing npm package X-frame-options

Not enough usage explanation for angular

Result: Unable to verify

Tags:

2

Answers


  1. 0 
    //if WebApp is under a Clickjacking attack

if(window. self === window.top) { //main File
  
} else{
<div>
    If you see this page,is under Clickjacking security attack.
  </div>
}

Also tested the above code with the below HTML in WebPage (test.html)

<html>
  <head>
    <title>Clickjack vulnerability test page</title>
  </head>
  <body>
    <iframe src="http://localhost:3000/" width="900" height="300"></iframe>
  </body>
</html>
    Login or Signup to reply.
  2. 0

    Yes it is working now.

         <script>  
         if(window. self === window.top) 
             { 
             }  
         else{ 
               var emptyDiv = document.createElement('div'); 
               emptyDiv.innerHTML = ""; 
               document.body.append(emptyDiv); 
              } 
     </script>
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search