Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-21560

add X-Frame-Options header to some UI URLs to help avoid scanning software false positives for clickjacking

    Details

      Description

      NXRM was scanned using Trustwave App Scanner (formerly known as Cenzic Hailstorm) software and violations for CWE-693 were detected for the following requests/responses:

      violation 1
      HTTP Request:
       GET /service/extdirect/poll/rapture_State_get?_dc=1560398708204 HTTP/1.1 
      Host: nexusrm.example.com:8443
       User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, */*
       Accept-Language: en-us,en;q=0.5, en-US,en;q=0.5
       Accept-Encoding: gzip,deflate
       Connection: keep-alive, keep-alive
       X-Nexus-UI: true
       NX-ANTI-CSRF-TOKEN: 0.6153046113914841
       X-Requested-With: XMLHttpRequest
       Referer: https://nexusrm.example.com:8443/ 
      HTTP Response: 
      HTTP/1.1 200 OK
       Date: Thu, 03 Oct 2019 15:42:51 GMT Server: Nexus/3.18.1-01 (PRO) X-Content-Type-Options: nosniff Content-Type: application/json;charset=utf-8 Content-Length: 11137 
      
      
      violation 2
      HTTP Request:
       POST /service/rapture/session HTTP/1.1 
      Host: nexusrm.example.com:8443
       User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, */*
       Accept-Language: en-us,en;q=0.5, en-US,en;q=0.5
       Accept-Encoding: gzip,deflate
       Connection: keep-alive, keep-alive
       X-Nexus-UI: true
       NX-ANTI-CSRF-TOKEN: 0.6153046113914841
       X-Requested-With: XMLHttpRequest
       Referer: https://nexusrm.example.com:8443/
       Content-Type: application/x-www-form-urlencoded; charset=UTF-8
       Content-Length: 57 
      HTTP Response: 
      HTTP/1.1 204 No Content
       Date: Thu, 03 Oct 2019 15:43:11 GMT
       Server: Nexus/3.18.1-01 (PRO)
       X-Content-Type-Options: nosniff
       Set-Cookie: NXSESSIONID=f41c144e-f014-45dd-baf4-a9dd2d599926; Path=/; HttpOnly; Secure 
      

      Diagnosis

      Investigation concluded these violations appear to be false positives for clickjacking, however to prevent the triggering of the scanner software, it is desired to return X-Frame-Options headers for these specific requests made from the UI.

      Relevant to this ask is this thread:

      https://stackoverflow.com/questions/34044966/is-it-meaningful-to-add-x-frame-options-in-an-restful-api

      The scenario where it makes sense to do this is exactly the one the OP mentioned - running a vulnerability scan.

      If you do not return a correct X-Frame-Options header the scan will fail. This matters when proving to customers that your endpoint is safe.

      It is much easier to provide your customer a passing report than have to argue why a missing header does not matter.

      Remediation Tips

      Use any one of the following header. The header tells browser whether to allow the page to be loaded
      inside a frame.

      • X-Frame-Options: SAMEORIGIN
      • X-Frame-Options: DENY

      Solution

      The following changes have been made to bypass false positives reported by scanners.

      For these URLs

      /service/extdirect/*
      /service/rapture/session
      

      NXRM will now return an additional response header:

      X-Frame-Options: deny
      

      And a Cache-Control response header value that used to be:

      post-check=0, pre-check=0
      

      and is now:

      no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dbradicich Damian Bradicich
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Prescott Michael Prescott
              Team:
              NXRM - Neo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title