在 Angular 13 项目上运行 checkmarx 时,旧版浏览器上存在潜在的点击劫持问题

发布于 01-19 04:18 字数 2527 浏览 9 评论 0 原文

在Angular 13项目上运行CheckMarx报告时,可能会报告潜在的点击夹克问题。 即使我尝试使用index.html文件中的框架破坏脚本修复此问题,也会向App.component.html报告该问题。 有任何解决此问题的建议吗?

  1. 方法:将框架脚本添加到index.html
<style> html {display : none; } </style>
<script>
    if ( self === top )

{         document.documentElement.style.display = 'block';     }
    else

{         top.location = encodeURI(self.location);     }
</script>
 Result: One more high priority issue was raised: Client DOM open redirect
  1. 方法:将框架祖先添加到元标记中,以及index.html

{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}

{{}} result:esseage oferes persists

  1. 方法:设置x-frame forut thing x-frame foructiation auth-

http服务:

const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }

结果:问题持续的

  1. 方法:设置X帧选项在Head Meta标签内部作为单独的标签,以及CSP标签
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">

结果:问题持续

5)方法::一个修复程序,用于根据the the the the the ot下面的stackoverflow建议:

top.location = encodeURI(self.location);

结果:问题持续

6)方法:配置nginx

以配置nginx发送X-Frame-Options标头,将其添加到您的http,服务器或位置配置:

add_header X-Frame-Options SAMEORIGIN always;

结果:esluct ofercts

  1. ofercist:essease ofercists方法:安装NPM软件包: X框架选项

不足以说明角度

结果:无法验证

Potential clickjacking issue is reported while running checkmarx report on angular 13 project.
The issue is reported for app.component.html even if I try fixing this issue using frame busting scripts in index.html file.
Any suggestions to fix this issue?

  1. Approach: Framebusting script added to index.html
<style> html {display : none; } </style>
<script>
    if ( self === top )

{         document.documentElement.style.display = 'block';     }
    else

{         top.location = encodeURI(self.location);     }
</script>
 Result: One more high priority issue was raised: Client DOM open redirect
  1. Approach: adding frame ancestors to meta tag along with CSP tags inside index.html

{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}

{{}} Result: Issue persists

  1. Approach: setting x-frame options for authentication service and auth-http interceptor

Inside authentication service:

const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(

{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }

Result: Issue persists

  1. Approach: Setting X-frame options inside head meta tag as a separate tag as well as along with CSP tags
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">

Result: Issue persists

5)Approach: : A fix to frame busting script used in earlier approach as per the below stackoverflow recommendation:

Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability

top.location = encodeURI(self.location);

Result: Issue persists

6)Approach: Configuring Nginx

To configure Nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN always;

Result: Issue persists

  1. Approach: Installing npm package X-frame-options

Not enough usage explanation for angular

Result: Unable to verify

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

我偏爱纯白色 2025-01-26 04:18:55
//if WebApp is under a Clickjacking attack

if(window. self === window.top) { //main File
  
} else{
<div>
    If you see this page,is under Clickjacking security attack.
  </div>
}

Also tested the above code with the below HTML in WebPage (test.html)

<html>
  <head>
    <title>Clickjack vulnerability test page</title>
  </head>
  <body>
    <iframe src="http://localhost:3000/" width="900" height="300"></iframe>
  </body>
</html>
//if WebApp is under a Clickjacking attack

if(window. self === window.top) { //main File
  
} else{
<div>
    If you see this page,is under Clickjacking security attack.
  </div>
}

Also tested the above code with the below HTML in WebPage (test.html)

<html>
  <head>
    <title>Clickjack vulnerability test page</title>
  </head>
  <body>
    <iframe src="http://localhost:3000/" width="900" height="300"></iframe>
  </body>
</html>
海夕 2025-01-26 04:18:55

是的,现在正在工作。

     <script>  
         if(window. self === window.top) 
             { 
             }  
         else{ 
               var emptyDiv = document.createElement('div'); 
               emptyDiv.innerHTML = ""; 
               document.body.append(emptyDiv); 
              } 
     </script>

Yes it is working now.

     <script>  
         if(window. self === window.top) 
             { 
             }  
         else{ 
               var emptyDiv = document.createElement('div'); 
               emptyDiv.innerHTML = ""; 
               document.body.append(emptyDiv); 
              } 
     </script>
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文