api-management-developer-portal
api-management-developer-portal copied to clipboard
Azure
Developer Portal - Clickjacking vulnerability
Bug description
For Developer Portal, after Pen test by Security team they identified a vulnerability "The web application is vulnerable to clickjacking". With the usage of Burp Clickbandit feature the team managed to overlay an iframe or a "clickable" area on top of the website. PFB for reference.
As we could not override the Iframe tag, kindly support on the right approach to fix the bug.
Expected behaviour
Below are the remediations recommended by Security team:
There are three main mechanisms that can be used to defend against these attacks:
• Preventing the browser from loading the page in frame using the X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers. • Preventing session cookies from being included when the page is loaded in a frame using the Same Site cookie attribute. • Implementing JavaScript code in the page to attempt to prevent it being loaded in a frame (known as a "frame-buster").
Note that these mechanisms are all independent of each other, and where possible more than one of them should. be implemented in order to provide defense in depth.
Is your portal managed or self-hosted?
Self-hosted
