NMAS Click Jack Security Vulnerability: X-Frame-Options or the Content-Security-Policy’s frame ancestor option missing to prevent Click Jacking attacks

In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the NMAS builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :

  • To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.

[# 706431, 705731]

Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html

If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

Configuration :

Result :

To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related:

  • No Related Posts

Leave a Reply