Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-21560

add X-Frame-Options header to some UI URLs to help avoid scanning software false positives for clickjacking

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.18.1
    • Fix Version/s: 3.20.0
    • Component/s: UI

      Description

      NXRM was scanned using Trustwave App Scanner (formerly known as Cenzic Hailstorm) software and violations for CWE-693 were detected for the following requests/responses:

      violation 1
      HTTP Request:
       GET /service/extdirect/poll/rapture_State_get?_dc=1560398708204 HTTP/1.1 
      Host: nexusrm.example.com:8443
       User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, */*
       Accept-Language: en-us,en;q=0.5, en-US,en;q=0.5
       Accept-Encoding: gzip,deflate
       Connection: keep-alive, keep-alive
       X-Nexus-UI: true
       NX-ANTI-CSRF-TOKEN: 0.6153046113914841
       X-Requested-With: XMLHttpRequest
       Referer: https://nexusrm.example.com:8443/ 
      HTTP Response: 
      HTTP/1.1 200 OK
       Date: Thu, 03 Oct 2019 15:42:51 GMT Server: Nexus/3.18.1-01 (PRO) X-Content-Type-Options: nosniff Content-Type: application/json;charset=utf-8 Content-Length: 11137 
      
      
      violation 2
      HTTP Request:
       POST /service/rapture/session HTTP/1.1 
      Host: nexusrm.example.com:8443
       User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, */*
       Accept-Language: en-us,en;q=0.5, en-US,en;q=0.5
       Accept-Encoding: gzip,deflate
       Connection: keep-alive, keep-alive
       X-Nexus-UI: true
       NX-ANTI-CSRF-TOKEN: 0.6153046113914841
       X-Requested-With: XMLHttpRequest
       Referer: https://nexusrm.example.com:8443/
       Content-Type: application/x-www-form-urlencoded; charset=UTF-8
       Content-Length: 57 
      HTTP Response: 
      HTTP/1.1 204 No Content
       Date: Thu, 03 Oct 2019 15:43:11 GMT
       Server: Nexus/3.18.1-01 (PRO)
       X-Content-Type-Options: nosniff
       Set-Cookie: NXSESSIONID=f41c144e-f014-45dd-baf4-a9dd2d599926; Path=/; HttpOnly; Secure 
      

      Diagnosis

      Investigation concluded these violations appear to be false positives for clickjacking, however to prevent the triggering of the scanner software, it is desired to return X-Frame-Options headers for these specific requests made from the UI.

      Relevant to this ask is this thread:

      https://stackoverflow.com/questions/34044966/is-it-meaningful-to-add-x-frame-options-in-an-restful-api

      The scenario where it makes sense to do this is exactly the one the OP mentioned - running a vulnerability scan.

      If you do not return a correct X-Frame-Options header the scan will fail. This matters when proving to customers that your endpoint is safe.

      It is much easier to provide your customer a passing report than have to argue why a missing header does not matter.

      Remediation Tips

      Use any one of the following header. The header tells browser whether to allow the page to be loaded
      inside a frame.

      • X-Frame-Options: SAMEORIGIN
      • X-Frame-Options: DENY

      Solution

      The following changes have been made to bypass false positives reported by scanners.

      For these URLs

      /service/extdirect/*
      /service/rapture/session
      

      NXRM will now return an additional response header:

      X-Frame-Options: deny
      

      And a Cache-Control response header value that used to be:

      post-check=0, pre-check=0
      

      and is now:

      no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dbradicich Damian Bradicich
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Wes Wannemacher
              Team:
              NXRM - Neo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title