We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack.
This is detacted at first line of the JSP page :
<!DOCTYPE html>
Can you please help me understand this attack and what should be done to eliminate this?
On
Just add the following piece of code in your HTML file.
<style id='antiClickjack'>
body{display:none !important;}
</style>
<script type='text/javascript'>
if (self === top) {
var antiClickjack = document.getElementById('antiClickjack');
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
For more depth to this issue, and to actually fix the Cross-Frame Scripting problem check out https://css-tricks.com/snippets/javascript/break-out-of-iframe/
Basically throw this into your parent-most layout file (_Layout.cshtml in C# MVC)
(function (window) { // Prevent Cross-Frame Scripting attacks
if (window.location !== window.top.location)
window.top.location = window.location;
})(this);
The Client Cross Site Scripting Attack query finds if the page protects itself against being embedded in an IFrame. It searches for conditions such as:
and so on.
This specific file, I believe, has no such conditions, so it MOST LIKELY does not protect itself, and this is why the query has found and marked it. Since we are looking for a missing line here, the result just shows you the file, and cannot show you where the problem is.
Hope it helps,
Adar from Checkmarx.