Please do me a favor and read this on my Gooroo site. (if I get enough hits, I get a payment) Thanks!
I recently received the status report of a penetration test of my ASP.Net Core 1.0 MVC site done by our IT team. They used Rapid 7s vulnerability/penetration testing tool called Nexpose. I wish I had known about it before I thought I was “done” (I haven’t written code for it for a few weeks, it has been tested and is ready to deploy), but that’s a different story. I should be doing this testing as I develop, not just at the end.
One of the vulnerabilities found was ClickJacking. I haven’t made time to learn as much from OWASP as I should have, so Nexpose’s report was extremely helpful with the explanations and links.
“Description:
Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.”
“Vulnerability Solution:
Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.”
Solution in ASP.Net Core 1.0 RTM
The middleware of Asp.Net Core makes it easy to add headers.
All you need to do is add an intercept into to the the Startup.cs Configure method add
app.Use(async (httpContext, next) =>
{
httpContext.Response.Headers.Add("X-Frame-Options", "DENY");
await next();
});
Anti-forgery Sample
OWASP Top 10 Project: Security Vulnerabilities for ASP.Net on Pluralsight
Asp.Net Core makes it easy to stop click jacking through code. IIS configuration is another great option. There’s no reason not to add this to your site (if you don’t have frames) now that you know about it. Let’s keep this out of OWASP top 10 list!