方法:将框架祖先与index.html中的CSP标记一起添加到元标记中
在angular 13项目上运行checkmarx报告时,报告了潜在的点击劫持问题。app.component.html报告了这个问题,即使我尝试使用index.html文件中的帧破坏脚本来修复这个问题。有什么建议可以解决这个问题吗?
- 方法:将框架破坏脚本添加到index.html
<style> html {display : none; } </style>
<script>
if ( self === top )
{ document.documentElement.style.display = 'block'; }
else
{ top.location = encodeURI(self.location); }
</script>
Result: One more high priority issue was raised: Client DOM open redirect
{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}
{{}}结果:问题持续存在
- 方法:为身份验证服务和auth-http拦截器设置x帧选项
内部身份验证服务:
const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(
{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(
{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }
结果:问题持续
- 方法:将head元标签内的X帧选项设置为单独的标签以及CSP标签
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">
结果:问题持续
5( 方法::根据以下stackoverflow建议,修复早期方法中使用的帧破坏脚本:
实施Checkmarx建议的点击劫持修复程序引入了高严重性客户端DOM XSS漏洞
top.location = encodeURI(self.location);
结果:问题持续
6( 方法:配置Nginx
要将Nginx配置为发送X-Frame-Options标头,请将其添加到您的http、服务器或位置配置中:
add_header X-Frame-Options SAMEORIGIN always;
结果:问题持续
- 方法:安装npm包X-frame-options
角度的用法解释不足
结果:无法验证
//if WebApp is under a Clickjacking attack
if(window. self === window.top) { //main File
} else{
<div>
If you see this page,is under Clickjacking security attack.
</div>
}
Also tested the above code with the below HTML in WebPage (test.html)
<html>
<head>
<title>Clickjack vulnerability test page</title>
</head>
<body>
<iframe src="http://localhost:3000/" width="900" height="300"></iframe>
</body>
</html>
是的,它现在正在工作。
<script>
if(window. self === window.top)
{
}
else{
var emptyDiv = document.createElement('div');
emptyDiv.innerHTML = "";
document.body.append(emptyDiv);
}
</script>