Geeks With Blogs

News Please visit me at my new blog!!

profile for Aligned at Stack Overflow, Q&A for professional and enthusiast programmers
"free in Christ Jesus from the law of sin and death." Romans 8:2 (ESV) Check out the Falling Plates video on YouTube.
more about the Gospel
And then listen to Francis Chan speaking at LifeLight in SD.

Donate Bitcoins

Programming and Learning from SD

Please do me a favor and read this on my Gooroo site. (if I get enough hits, I get a payment) Thanks!

 

 

I recently received the status report of a penetration test of my ASP.Net Core 1.0 MVC site done by our IT team. They used Rapid 7s vulnerability/penetration testing tool called Nexpose. I wish I had known about it before I thought I was “done” (I haven’t written code for it for a few weeks, it has been tested and is ready to deploy), but that’s a different story. I should be doing this testing as I develop, not just at the end.

One of the vulnerabilities found was ClickJacking. I haven’t made time to learn as much from OWASP as I should have, so Nexpose’s report was extremely helpful with the explanations and links.

Description:
Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.”

Vulnerability Solution:
Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.”

Solution in ASP.Net Core 1.0 RTM

The middleware of Asp.Net Core makes it easy to add headers.

All you need to do is add an intercept into to the the Startup.cs Configure method add

app.Use(async (httpContext, next) =>
{
    httpContext.Response.Headers.Add("X-Frame-Options", "DENY");
    await next();
});
 

Anti-forgery Sample

OWASP Top 10 Project: Security Vulnerabilities for ASP.Net on Pluralsight

 

Asp.Net Core makes it easy to stop click jacking through code. IIS configuration is another great option. There’s no reason not to add this to your site (if you don’t have frames) now that you know about it. Let’s keep this out of OWASP top 10 list!

Posted on Tuesday, July 26, 2016 2:41 PM MVC , ASP.Net , Asp.Net Core | Back to top


Comments on this post: Avoid ClickJacking in ASP.Net Core 1.0

# re: Avoid ClickJacking in ASP.Net Core 1.0
Requesting Gravatar...
Such a wonderful information. This will be relevant to my ongoing project. - Gary McClure
Left by Maxine Howard on Jul 27, 2016 4:07 PM

# re: Avoid ClickJacking in ASP.Net Core 1.0
Requesting Gravatar...
It is nice to learn this idea. It is easy to follow the steps. - Mark Zokle
Left by Michelle Taylor on Aug 16, 2016 1:40 PM

# re: Avoid ClickJacking in ASP.Net Core 1.0
Requesting Gravatar...
nice post thanku dear its nice post
Left by pendujatt on Sep 13, 2016 3:17 PM

Your comment:
 (will show your gravatar)


Copyright © Aligned | Powered by: GeeksWithBlogs.net