This is a migrated thread and some comments may be shown as answers.

How to prevent Cross-Frame Scripting attack

1 Answer 184 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Darius
Top achievements
Rank 1
Darius asked on 29 Mar 2018, 02:15 PM

Hi,

I want to prevent Cross-Frame scripting attack. Note that I am not asking about Cross-site Scripting attack, but Cross-Frame.

Security scan flags my website with Cross-Frame vulnerability. However I don't see IFRAME anywhere in the rendered markup. But I am positive this is related to Telerik controls. How do you prevent cross-frame attack, which I believe allows attacker to inject alternate content into an IFRAME on the page.

I have the following Telerik controls/Assemblies on page:

1) Telerik.Web.UI

2) RadScriptManager

3) RadAjaxManager

4) RadStyleSheetManager

5) RadMenu

6) RadComboBox

7) RadPanelBar

8) RadGrid

9) RadAjaxManagerProxy

1 Answer, 1 is accepted

Sort by
0
Marin Bratanov
Telerik team
answered on 30 Mar 2018, 11:52 AM
Hi Darius,

Cross-frame scripting attacks usually require the attacker to have the end user open a page that the attacker owns, and that page hosts an <iframe> with your legitimate page. This is something that the end user must look out for as it is not something user interface contols can influence. What I can suggest you look into is adding and X-Frame-Options: SAMEORIGIN header so that your pages can only be framed by your domain. This can allow contorls of ours that use <iframes> to still work, while reducing the risk of an attacker using your pages in a frame attack.

If the attacker already can inject content into <iframe> elements inside your site, then the site is already compromised because the attacker can already control it, and they could add keyloggers and other malicious code immediately, without modifying framed pages.


Regards,
Marin Bratanov
Progress Telerik
Try our brand new, jQuery-free Angular components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
Tags
General Discussions
Asked by
Darius
Top achievements
Rank 1
Answers by
Marin Bratanov
Telerik team
Share this question
or