2

A portion of our system exposes an HTTP file handler that transmits a file to the client provided that authentication and file ID are correct, and no response if not.

The ASP.net server this is hosted on is instructed to add an X-Frame-Options header to all responses, and dutifully does so for standard pages. For whatever reason, it does not do so for this handler.

An automated scan has identified this as a clickjacking vulnerability, though I'm struggling to see why this would be the case. The file is transmitted as Content-Disposition: attachment and so downloads, instead of displaying in the browser in a way which could open up a vulnerability with an overlay over PDF content for example.

Is my gut on this right, that it doesn't represent a vulnerability? Or is there a case I've overlooked? I could, of course, just add the header anyway, though I'm not sure if that's spec-breaking.

Dan
  • 198
  • 5

2 Answers2

1

My verdict

You can't have clickjacking on static pages as a valid or pertinent vulnerability, it won't hurt me atleast to skip those headers intentionally on static pages like that of attachments unless it's an API endpoint or so.

Professional Advice

Hell yeah it's the false positive and the sole reason why you are advised to go for bug bounty programs for your company and advised against running automated scanner, not even netsparker which costs a few thousand dollars. If you chose the latter option, do teach yourself the basic skills to understand what's a false positive and that these scanners have much lower precision than manual testing techniques.

No it isn't a vulnerability. Clickjacking by industry standards of the day, requires an attacker to be able to exploit it from the point of view of being able to coerce the user into performing a state-changing action in user's context. Judge the fact by Google's BugHunter university which states clickjacking which can have a state-changing impact on user account is only eligible for their VRP.

What's a valid attack scenario like strictly in technical terms?

So let's say attacker can make the frame hidden beneath a button, now makes unknowing user click on that button and this leads to the user deleting all his data and account. Then yes, it's a valid attack vector and is of P4 priority to an average security engineer like me.

Further clarification

Ask yourself again, can it be used for phishing by an attacker or can he accomplish something useful by embedding an attachment within a frame or iframe, can he record the keystrokes of victim user with the help of embedding the attachment in an iframe? Well the straightforward answer to it is no , not.

Further, you can go and read my article https://dzone.com/articles/looking-at-some-practical-examples-of-security-bug on DZone which was distributed to thousands of developers via weekly digest. It must be a good read for you, just ignore the typos their editorial team made.

Community
  • 1
A Khan
  • 67
  • 5
  • Conceivably you could have an interactive PDF as the attachment, containing hyperlinks. I'm not sure that your answer is applicable to the question asked, which was whether attachments transmitted with the specified `Content-Disposition` are then exempt from such attacks. – Dan Sep 04 '18 at 17:08
  • Can that have any state changing impact on victim user's account's context, if so please elaborate using a PoC – A Khan Sep 05 '18 at 09:31
  • Just out of curiosity, what if I could embed your PDF in my website in a frame, that's harmless. Ask yourself again, what I wanted to mean is it has no context for the attack or attacker can't gain any benefit in the case of attachments. – A Khan Sep 05 '18 at 09:33
  • Static pages applies for attachments which too falls under content which poses no substantial risk. – A Khan Sep 05 '18 at 09:34
0

It’s not exactly a false positive, im not 100% sure that all content types will be downloaded instead of displayed in all browsers. So unless there is user controlled content or combined with a browser bug I can’t see it being useful/exploitable in the wild. You could just alter the code to spit out he header alongside the content disposition if you want to make the scanner/or tester stop flagging it,

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • The attachments are user-uploadable, but will always be downloaded with the `Content-Disposition` header. I guess it does boil down to whether the browsers will always download the files, which the spec says they `should` do. – Dan Sep 04 '18 at 17:10