Unsanitized user input in UI

  • Rule ID: php_symfony_ui_redress
  • Languages: php
  • Source: ui_redress.yml

Description

Incorporating unsanitized user input to configure the X-Frame-Options or Content-Security-Policy HTTP headers exposes your application to UI redress attacks, commonly known as clickjacking. This vulnerability can be exploited to deceive users into performing unintended actions on your website.

Remediations

  • Do set the X-Frame-Options header to "DENY" to prevent your website from being framed by potentially malicious sites.
    $response->headers->set("X-Frame-Options", "DENY");
  • Do configure the Content-Security-Policy header with "frame-ancestors 'none'" to disallow embedding of your site's content in iframes, objects, or embed tags on unauthorized websites.
    $response->headers->set("Content-Security-Policy", "frame-ancestors 'none'");
  • Do not use user input directly to set these headers without proper sanitization and validation.

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_ui_redress

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_ui_redress