cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Summary

Nessus vulnerability scans indicate issues with ClickJacking

Symptoms

Nessus vulnerability scans indicate FNM application potentially vulnerable to Clickjacking

The following pages do not use a clickjacking mitigation response header and contain a clickable event : - http://server:8888/flexnet/forgotPassword.do - http://server:8888/flexnet/logon.do
Port: www (8888/tcp)


Vulnerability Description:
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors. Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The 'frame-ancestors' policy directive restricts which sources can embed the protected resource. Note that while the X-Frame-Options and Content-Security-Policy response headers are not the only mitigations for clickjacking, they are currently the most reliable methods that can be detected through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions.


Resolution

Please upgrade to FNMEA 2018 R to resolve this issue.
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Feb 04, 2019 11:19 PM
Updated by: