Hi,
I want to prevent Cross-Frame scripting attack. Note that I am not asking about Cross-site Scripting attack, but Cross-Frame.
Security scan flags my website with Cross-Frame vulnerability. However I don't see IFRAME anywhere in the rendered markup. But I am positive this is related to Telerik controls. How do you prevent cross-frame attack, which I believe allows attacker to inject alternate content into an IFRAME on the page.
I have the following Telerik controls/Assemblies on page:
1) Telerik.Web.UI
2) RadScriptManager
3) RadAjaxManager
4) RadStyleSheetManager
5) RadMenu
6) RadComboBox
7) RadPanelBar
8) RadGrid
9) RadAjaxManagerProxy
1 Answer, 1 is accepted
Cross-frame scripting attacks usually require the attacker to have the end user open a page that the attacker owns, and that page hosts an <iframe> with your legitimate page. This is something that the end user must look out for as it is not something user interface contols can influence. What I can suggest you look into is adding and X-Frame-Options: SAMEORIGIN header so that your pages can only be framed by your domain. This can allow contorls of ours that use <iframes> to still work, while reducing the risk of an attacker using your pages in a frame attack.
If the attacker already can inject content into <iframe> elements inside your site, then the site is already compromised because the attacker can already control it, and they could add keyloggers and other malicious code immediately, without modifying framed pages.
Regards,
Marin Bratanov
Progress Telerik