Dear BusyBox maintainers,
I hope this information can be useful for you.
Our Nessus scan recommends adding some additional x-frame-option to your httpd.
Is there something already available?
(sorry, but I can't find anything where I can modify the HTTP response header).
This is just an idea:
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1133,6 +1133,7 @@ static void send_headers(unsigned responseNum)
if (responseNum != HTTP_OK || found_mime_type) {
len += sprintf(iobuf + len,
"Content-type: %s\r\n",
+ "x-frame-options: SAMEORIGIN\r\n",
/* if it's error message, then it's HTML */
(responseNum != HTTP_OK ? "text/html" : found_mime_type)
);
Description:
The remote web server does not set an X-Frame-Options response header or a
Content-Security-Policy 'frame-ancestors' response header in all content
responses. This could potentially expose the site to a clickjacking or UI
redress attack, in which an attacker can trick a user into clicking an area of
the vulnerable page that is different than what the user perceives the page to
be. This can result in a user performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate
clickjacking attacks and is currently supported by all major browser vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web Application
Security Working Group, with increasing support among all major browser
vendors, as a way to mitigate clickjacking and other attacks. The
'frame-ancestors' policy directive restricts which sources can embed the
protected resource.
Note that while the X-Frame-Options and Content-Security-Policy response
headers are not the only mitigations for clickjacking, they are currently the
most reliable methods that can be detected through automation. Therefore, this
plugin may produce false positives if other mitigation strategies (e.g.,
frame-busting JavaScript) are deployed or if the page does not perform any
security-sensitive transactions.
Remediation:
Return the X-Frame-Options or Content-Security-Policy (with the
'frame-ancestors' directive) HTTP header with the page's response.
This prevents the page's content from being rendered by another site when using
the frame or iframe HTML tags.
Reference:
CWE:693
Best regards,
Steffen Hamann
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
