Scripts for script with client
We developed a new application, and before pushing the changes, we did a static code scan with checkmarkx. There is a mid-level vulnerability in the code named Client Cross Frame Scripting Attack.
This is deactivated on the first line of the JSP page:
<!DOCTYPE html>
Could you please help me understand this attack and what needs to be done to eliminate it?
source to share
The request "Client Interworking Script Attack" reveals that the page is protecting itself from the embedded IFrame. It looks for conditions like:
if (top != self)
if (top.location != location)
if (top.frames.length != 0)
etc.
This particular file, I believe, does not have such conditions, so it CANNOT SAFE, so the request found and tagged it. Since we are looking for the missing line here, the result is just showing you the file and cannot show you where the problem is.
Hope it helps,
Adar from Checkmarx .
source to share
For more depth on this issue and to fix the interframe scripting issue, check https://css-tricks.com/snippets/javascript/break-out-of-iframe/
Basically drag this into your parent-majority layout file (_Layout.cshtml in C # MVC)
(function (window) { // Prevent Cross-Frame Scripting attacks
if (window.location !== window.top.location)
window.top.location = window.location;
})(this);
source to share
Just add the following code to your HTML file.
<style id='antiClickjack'>
body{display:none !important;}
</style>
<script type='text/javascript'>
if (self === top) {
var antiClickjack = document.getElementById('antiClickjack');
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
source to share