Unsanitized user input in UI

• Rule ID: javascript_express_ui_redress
• Languages: javascript
• Source: ui_redress.yml

Description

Incorporating unsanitized user input to configure X-Frame-Options or Content-Security-Policy HTTP headers exposes your application to UI redress attacks, commonly known as clickjacking. This vulnerability arises when attackers manipulate the appearance of a webpage to deceive users into performing unintended actions.

Remediations

• Do set the most secure values for these headers to enhance protection against clickjacking.

  res.set('X-Frame-Options', 'DENY');
  res.set('Content-Security-Policy', "frame-ancestors 'none'");

• Do not directly use user input to set these headers. Instead, implement a safelist approach to ensure only approved values are used.

  if (req.query.options === 'same') {
    res.set('X-Frame-Options', 'SAME');
  }
  
  // Safelist
  if (['deny', 'sameorigin'].includes(req.query.options.toLowerCase())) {
    res.set('X-Frame-Options', req.query.options);
  }

References

• OWASP Clickjacking attack explained
• OWASP Clickjacking defense cheat sheet

Associated CWE

• CWE-1021: Improper Restriction of Rendered UI Layers or Frames

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_ui_redress

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_ui_redress