Unsanitized User Input in UI
Overview
Rule ID:
javascript_express_ui_redress
Applicable Languages: Javascript
Weakness ID: CWE-1021
Description
UI redress attacks, also known as clickjacking, occur when an attacker manipulates the appearance of a webpage to deceive users into performing unintended actions. One common vector for such attacks is the misuse of HTTP headers like X-Frame-Options and Content-Security-Policy (CSP), especially when they are configured with unsanitized user input.
Remediation Guidelines
Do set the most secure values for these headers to enhance protection against clickjacking.
res.set('X-Frame-Options', 'DENY'); res.set('Content-Security-Policy', "frame-ancestors 'none'");
Do not directly use user input to set these headers. Instead, implement a safelist approach to ensure only approved values are used.
const frameOptions = ['deny', 'sameorigin']; if (frameOptions.includes(req.query.options.toLowerCase())) { res.set('X-Frame-Options', req.query.options.toUpperCase()); }
References
Configuration
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL
Last updated