Bug #2419
closedPossible Clickjacking Vunerability
100%
Description
According to our tests for PCI-DSS certification by a professional security auditing team.
PfSense has a possible Clickjacking Vunerability.
The following is the report..
The web page on port 80 is vulnerable to clickjacking attacks. This attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. To prevent clickjacking in current browsers the X-FRAME-OPTIONS setting can be used. This response header option needs to be set on each site. In an ASP.NET environment this can be achieved by the command: this.Response.Headers["X-FRAME-OPTIONS"] = "DENY";
If the setting “DENY” is used, the page will never be loaded in a frame. The setting “SAMEORIGIN” allows displaying the page in a frame when the main document’s domain matches that page’s domain.
To protect customers using older browsers, the following JavaScript code should be added to the head of each document:
<style id="antiClickjack">body{display:none}</style> <script type="text/JavaScript">
if (self === top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack);
} else { top.location = self.location;
}</script>
Both clickjacking preventions should be implemented to protect customers.