ANALYSIS RESULTS

Below is the complete analysis and results.


SUMMARY OF REPORT

Customers is US Commercial region identified a security vulnerability that could cause framesniffing and clickjacking issues in VIDIZMO website.


It was reported that the VIDIZMO website does not include use of X-FRAME-OPTIONS which is recommended in setting up websites where user interaction is required for one-click authentication.

ID
Identified Vulnerability
Description
VUL-04
"X-Frame-Options" Not Set
The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication.


FINDINGS

Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website.


Clickjacking is a malicious technique to trick a web user into clicking on something different from what the user actually perceives, which can infect a machine with malware that potentially reveals confidential information or takes control of the user's computer and/or Username.


Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid framesniffing and click-jacking attacks, by ensuring that their content is not embedded into other sites.


VIDIZMO offers <embed> as part of its default features. VIDIZMO provides security update to resolve this vulnerability based on special conditions (if required) as per customers' security needs.


TOOLS

For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:


Tool
Description
Browser Developer Tools
Every modern web browser includes a powerful suite of developer tools. These tools do a range of things, from inspecting currently-loaded HTML, CSS and JavaScript to showing which assets the page has requested and how long they took to load. This article explains how to use the basic functions of your browser's devtools.
URL Rewrite Module
URL Rewrite is an extension for IIS web server and allows Web administrators to easily build powerful rules using rewrite providers written in .NET, regular expression pattern matching, and wildcard mapping to examine information in both URLs and other HTTP headers and IIS server variables.



LINE OF ACTION AND ASSOCIATED TIMELINES

The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.


IDIdentified VulnerabilityIdentification DateIncident Resolution
Start DateEnd Date
VUL-04"X-Frame-Options" Not Set
July 03 2021July 07 2021July 09 2021



REMEDIATION PROCEDURE

Below is the detail about actions performed to remove security vulnerabilities.


Vulnerability Identification
VUL-04 - "X-Frame-Options" Not Set
Description of Vulnerability
The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication.
Remediation Action
Created an outbound rewrite rule in IIS that matches given host URL and rewrites additional HTTP header.

References:

https://support.microsoft.com/en-us/office/mitigating-framesniffing-with-the-x-frame-options-header-1911411b-b51e-49fd-9441-e8301dcdcd79

https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-module

https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524602(v=vs.90)?redirectedfrom=MSDN

https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

https://stackoverflow.com/questions/43050026/urlrewrite-condition-based-on-custom-http-header

https://stackoverflow.com/questions/45472306/adding-custom-response-header-in-http-response-headers-module-within-iis7-mana



DETAIL OF VULNERABILITIES

This section provides complete detail of vulnerabilities identified during the assessment procedure.


Vulnerability ID: VUL-04

"X-Frame-Options" Not Set

Description of Vulnerability

The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication.

Organizational Risk

Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack.


Clickjacking is a malicious technique to trick a web user into clicking on something different from what the user actually perceives, which can infect a machine with malware that potentially reveals confidential information or takes control of the user's computer and/or Username.