ANALYSIS RESULTS
Below is the complete analysis and results.
SUMMARY OF REPORT
Customers is US Commercial region identified a security vulnerability that could cause framesniffing and clickjacking issues in VIDIZMO website.
It was reported that the VIDIZMO website does not include use of X-FRAME-OPTIONS which is recommended in setting up websites where user interaction is required for one-click authentication.
| ID | Identified Vulnerability | Description |
| VUL-04 | "X-Frame-Options" Not Set | The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication. |
FINDINGS
Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website.
Clickjacking is a malicious technique to trick a web user into clicking on something different from what the user actually perceives, which can infect a machine with malware that potentially reveals confidential information or takes control of the user's computer and/or Username.
Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid framesniffing and click-jacking attacks, by ensuring that their content is not embedded into other sites.
VIDIZMO offers <embed> as part of its default features. VIDIZMO provides security update to resolve this vulnerability based on special conditions (if required) as per customers' security needs.
TOOLS
For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:
| Tool | Description |
| Browser Developer Tools | Every modern web browser includes a powerful suite of developer tools. These tools do a range of things, from inspecting currently-loaded HTML, CSS and JavaScript to showing which assets the page has requested and how long they took to load. This article explains how to use the basic functions of your browser's devtools. |
| URL Rewrite Module | URL Rewrite is an extension for IIS web server and allows Web administrators to easily build powerful rules using rewrite providers written in .NET, regular expression pattern matching, and wildcard mapping to examine information in both URLs and other HTTP headers and IIS server variables. |
LINE OF ACTION AND ASSOCIATED TIMELINES
The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.
| ID | Identified Vulnerability | Identification Date | Incident Resolution | |
| Start Date | End Date | |||
| VUL-04 | "X-Frame-Options" Not Set | July 03 2021 | July 07 2021 | July 09 2021 |
REMEDIATION PROCEDURE
Below is the detail about actions performed to remove security vulnerabilities.
DETAIL OF VULNERABILITIES
This section provides complete detail of vulnerabilities identified during the assessment procedure.
Vulnerability ID: VUL-04 "X-Frame-Options" Not Set |
Description of Vulnerability The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication. |
Organizational Risk Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack. Clickjacking is a malicious technique to trick a web user into clicking on something different from what the user actually perceives, which can infect a machine with malware that potentially reveals confidential information or takes control of the user's computer and/or Username. |