Unsanitized User Input in UI

Overview

Rule ID: javascript_express_ui_redress
Applicable Languages: Javascript
Weakness ID: CWE-1021

Description

UI redress attacks, also known as clickjacking, occur when an attacker manipulates the appearance of a webpage to deceive users into performing unintended actions. One common vector for such attacks is the misuse of HTTP headers like X-Frame-Options and Content-Security-Policy (CSP), especially when they are configured with unsanitized user input.

Remediation Guidelines

Do set the most secure values for these headers to enhance protection against clickjacking.

res.set('X-Frame-Options', 'DENY');
res.set('Content-Security-Policy', "frame-ancestors 'none'");

Do not directly use user input to set these headers. Instead, implement a safelist approach to ensure only approved values are used.

const frameOptions = ['deny', 'sameorigin'];

if (frameOptions.includes(req.query.options.toLowerCase())) {
  res.set('X-Frame-Options', req.query.options.toUpperCase());
}

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our

PreviousUnsanitized input in SQL query NextUnsanitized user input in XML parsing method

Last updated 10 months ago