How to prevent Cross-Frame Scripting attack

2 posts, 0 answers
  1. Darius
    Darius avatar
    15 posts
    Member since:
    Nov 2017

    Posted 29 Mar 2018 Link to this post


    I want to prevent Cross-Frame scripting attack. Note that I am not asking about Cross-site Scripting attack, but Cross-Frame.

    Security scan flags my website with Cross-Frame vulnerability. However I don't see IFRAME anywhere in the rendered markup. But I am positive this is related to Telerik controls. How do you prevent cross-frame attack, which I believe allows attacker to inject alternate content into an IFRAME on the page.

    I have the following Telerik controls/Assemblies on page:

    1) Telerik.Web.UI

    2) RadScriptManager

    3) RadAjaxManager

    4) RadStyleSheetManager

    5) RadMenu

    6) RadComboBox

    7) RadPanelBar

    8) RadGrid

    9) RadAjaxManagerProxy

  2. Marin Bratanov
    Marin Bratanov avatar
    5243 posts

    Posted 30 Mar 2018 Link to this post

    Hi Darius,

    Cross-frame scripting attacks usually require the attacker to have the end user open a page that the attacker owns, and that page hosts an <iframe> with your legitimate page. This is something that the end user must look out for as it is not something user interface contols can influence. What I can suggest you look into is adding and X-Frame-Options: SAMEORIGIN header so that your pages can only be framed by your domain. This can allow contorls of ours that use <iframes> to still work, while reducing the risk of an attacker using your pages in a frame attack.

    If the attacker already can inject content into <iframe> elements inside your site, then the site is already compromised because the attacker can already control it, and they could add keyloggers and other malicious code immediately, without modifying framed pages.

    Marin Bratanov
    Progress Telerik
    Try our brand new, jQuery-free Angular components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
Back to Top