Follow

Q&A: Can Silverline Mitigate 150124 Clickjacking - Framable Page (Qualys WAS Result)?

 

Question

  • Within the Qualys Web Application Scan report, 150124 Clickjacking - Framable Page can be reported as a vulnerability. Is Silverline WAF capable of resolving/mitigating the vulnerability?

Clickjacking.png

Environment

  • Silverline WAF 
  • WAF Policy Protection
  • Qualys/Vulnerability Scan Report

Answer

Yes. Clickjacking protection or, in this case, the X-Frame-Options is an HTTP response header that can be used to indicate whether or not a browser should be allowed to render a page in a <frame><iframe><embed> and/or <object>.

Sites or web applications can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

There are 3 possible directives to X-Frame-Options:

  • deny - The page cannot be displayed in a frame, regardless of the site attempting to do so.
    • This is useful if the application doesn't use any <frame><iframe><embed> and/or <object>.
    • Example:  x-frame-options: DENY
  •  sameorigin - The page can only be displayed in a frame on the same origin as the page itself.
    • This is useful if the application does use <frame><iframe><embed> and/or <object> from the same domain
    • Example:  x-frame-options: SAMEORIGIN
  • allow-from <uri> - This directive allows the page to only be loaded in a frame on only trusted origins/domains. 
    • This is useful if you utilize resources from other domains/hosts.
    • Example:  x-frame-options: ALLOW-FROM https://domain.com/

What to Do

If you believe that your application is vulnerable or susceptible to this type of attack, see Q&A: How can I set the X-Frame-Options header in order to protect from "Clickjacking" attacks?

 

How to check Clickjacking Protection settings in Portal on WAF Policy Details

  1. In the Portal menu, navigate to Config> Proxy & App Configuration > WAF Policy Management.
  2. Use the search-box in the top-right to find the policy, or find it in table
  3. Under the Policy name in the list, click on Details
    • mceclip0.png
  4. Select URLs to see Clickjacking Protection

Waf_Policies-URL-ClickjackingProtection.png

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request