2

I have a doubt regarding the use of the Content Security Policy (CSP) as protection mechanism against clickjacking.

I have created an online Proof of Concept (PoC) on a web page where I put a button that loads the URL that is specified in an input field which is up and running on a server. This PoC is to test if a site is vulnerable or not, and based on that, I have tested a site which is using CSP to prevent clickjacking attacks. The result on my online PoC tell me that the site is not vulnerable because I'm not able to framing it, however, if I repeat the test using the static template provided in the OWASP site, then I'm able to see the content of the web page within the element.

So, I feel that the site may still be vulnerable, and I would like to know your opinion.

I noticed that the CSP is not returned in the header when I use the static PoC, do you believe that the this an error in programming which makes vulnerable the site?

Has anyone experienced this before?

Improve this question
4
  • Do you mean with "static PoC" that the resource is not loaded from a server but instead loaded from a local file? With a local file there is no HTTP server and no HTTP protocol is spoken and thus no HTTP header is used and thus no CSP header can be set in the HTTP header. So how do you specify your CSP in this case? With a meta tag or not at all? Commented Dec 12, 2016 at 17:28
  • 1
    The "static PoC" is an static HTML file based on the template in OWASP: <html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="http://www.target.site" width="500" height="500"></iframe> </body> </html> Commented Dec 12, 2016 at 21:36
  • So, I created an HTML file based on the OWASP Template [link] (owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) to test if the site is vulnerable to clickjacking. However, I developed an online app that automates this process, so for each site that I have to test, I only put its URL in an input field and press the button to load the content within a <iframe>, if the content is visible then the site is vulnerable. Commented Dec 12, 2016 at 21:52
  • In the other hand, if a test the site using the static PoC which points out to the server online, then the CSP is not present in the response and the site is loaded within the <iframe> element. I wonder if this is a programming error or if the site could be considered as vulnerable. Commented Dec 12, 2016 at 22:15

3 Answers 3

Reset to default
1

Since you "static PoC" is just a static file loaded from disk there is obviously no HTTP server involved. This mean there is no HTTP protocol involved in serving the data and thus no HTTP header exist where the CSP header is set. This effectively means that your static PoC for CSP is no test for CSP at all since there is no CSP policy declared in your test. And without a declared CSP policy none will be applied.

Improve this answer
3
  • The "static" part is only the HTML file that frames the site that I'm testing. So, the site is never static, there is HTTP interaction to load its content which is always running online on an server, but the CSP is not returned in the response when I test it using the "static HTML file" to frame the site. Commented Dec 13, 2016 at 22:44
  • @Lennin: if I understand you correctly you load the outer frame as a local file and try to load the inner frame via HTTP and not as local file. And you see that there is no CSP set inside the HTTP header when loading the inner frame. In this case something is wrongly setup on the HTTP server but it impossible to say what. Having a proof of concept to reproduce your issue might help. Commented Dec 13, 2016 at 22:51
  • Yeah, that's my point and agree with you. Perhaps there is something wrongly setup on HTTP sever, I will take a look at the HTTP server configuration. Commented Dec 30, 2016 at 17:47
0

In order for CSP to prevent Clickjacking through the use of Iframe then the CSP policy must set the frame-ancestors policy directive which is a list of allowed sites.

If the site is returning this error you will receive in developer console will be:

"Refused to display 'http://www.target.site' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' ... ...".

Improve this answer
3
  • Yeah, the error message is properly shown in the <iframe> as well as in the browser's console. The CSP is set in the response as follows: HTTP/1.1 200 OK Content-Security-Policy: frame-ancestors 'self' ... However when I test the site using the static HTML PoC, then the header is not present and the site is vulnerable to clickjacking :/ I feel that this is not correct and could make the site vulnerable. But I would like to know your opinion. Commented Dec 12, 2016 at 22:11
  • I've tested using a static html PoC and for me, the CSP Policy header is present and properly enforced. Perhaps the target site you are testing is conditionally rendering the CSP header based on something in the request such as Host or Origin value? Commented Dec 13, 2016 at 6:36
  • Hi Alex, I believe you are right. Perhaps the target site is conditionally rendering the CSP. I will investigate it. Commented Dec 30, 2016 at 17:43
0

No server, no HTTP headers. So in essence no CSPs being applied. Throw your poc on an actual server, it sounds like you are just serving a file from your local disk.

Improve this answer
2
  • Sorry, I did'tn explain well before. Web application is running on a server, so there is server interaction indeed. The thing is that if the HTTP header is not being sent or removed with a web proxy tool, then the server is not responding with X-Frame-Options nor CSP. Commented Sep 11, 2017 at 16:04
  • What is static and in my local disk, is the HTML file that frames the content of the application. It is only an <iframe> tag pointing in src attribute to the server address where the application is running. So, the HTTP referer header is not being sent here. But, if a move the same HTML file to a server, then the referer is being added to the request, and server responds with proper X-Frame-Options or CSP. Programmers didn't anticipate this scenario so, if application does not sees the referer header, then anti-clickjacking headers are not returned in response. Commented Sep 11, 2017 at 16:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.