Client Cross Frame Scripting Attack resolution

java jsp security xss client-side-attacks
Tushar picture Tushar · Jan 5, 2015 · Viewed 14.9k times · Source

We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack.

This is detacted at first line of the JSP page :

<!DOCTYPE html>

Can you please help me understand this attack and what should be done to eliminate this?

Answer

adar picture adar · Jan 12, 2015

The Client Cross Site Scripting Attack query finds if the page protects itself against being embedded in an IFrame. It searches for conditions such as:

 if (top != self)
 if (top.location != location)
 if (top.frames.length != 0)

and so on.

This specific file, I believe, has no such conditions, so it MOST LIKELY does not protect itself, and this is why the query has found and marked it. Since we are looking for a missing line here, the result just shows you the file, and cannot show you where the problem is.

Hope it helps,

Adar from Checkmarx.

Related questions

XSS prevention in JSP/Servlet web application

How can I prevent XSS attacks in a JSP/Servlet web application?

Read More
How to properly invalidate JSP session?

So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a …

Read More
"PKIX path building failed" and "unable to find valid certification path to requested target"

I'm trying to get tweets using twitter4j library for my java project. On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by: C:\…

Read More