Unsanitized User Input in UI

Overview

• Rule ID: javascript_express_ui_redress

• Applicable Languages: Javascript

• Weakness ID: CWE-1021

Description

UI redress attacks, also known as clickjacking, occur when an attacker manipulates the appearance of a webpage to deceive users into performing unintended actions. One common vector for such attacks is the misuse of HTTP headers like X-Frame-Options and Content-Security-Policy (CSP), especially when they are configured with unsanitized user input.

Remediation Guidelines

• Do set the most secure values for these headers to enhance protection against clickjacking.

  Copy

  res.set('X-Frame-Options', 'DENY');
  res.set('Content-Security-Policy', "frame-ancestors 'none'");
  

• Do not directly use user input to set these headers. Instead, implement a safelist approach to ensure only approved values are used.

  Copy

  const frameOptions = ['deny', 'sameorigin'];
  
  if (frameOptions.includes(req.query.options.toLowerCase())) {
    res.set('X-Frame-Options', req.query.options.toUpperCase());
  }
  

References

• OWASP Clickjacking attack explained

• OWASP Clickjacking defense cheat sheet

• CWE-1021: Improper Restriction of Rendered UI Layers or Frames

• OWASP Top 10: A04:2021 - Insecure Design

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL