We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack.
This is detacted at first line of the JSP page :
<!DOCTYPE html>
Can you please help me understand this attack and what should be done to eliminate this?
The Client Cross Site Scripting Attack query finds if the page protects itself against being embedded in an IFrame. It searches for conditions such as:
if (top != self)
if (top.location != location)
if (top.frames.length != 0)
and so on.
This specific file, I believe, has no such conditions, so it MOST LIKELY does not protect itself, and this is why the query has found and marked it. Since we are looking for a missing line here, the result just shows you the file, and cannot show you where the problem is.
Hope it helps,
Adar from Checkmarx.
Just add the following piece of code in your HTML file.
<style id='antiClickjack'>
body{display:none !important;}
</style>
<script type='text/javascript'>
if (self === top) {
var antiClickjack = document.getElementById('antiClickjack');
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
For more depth to this issue, and to actually fix the Cross-Frame Scripting problem check out https://css-tricks.com/snippets/javascript/break-out-of-iframe/
Basically throw this into your parent-most layout file (_Layout.cshtml in C# MVC)
(function (window) { // Prevent Cross-Frame Scripting attacks
if (window.location !== window.top.location)
window.top.location = window.location;
})(this);
