Unsanitized user input in UI

• Rule ID: php_symfony_ui_redress
• Languages: php
• Source: ui_redress.yml

Description

Incorporating unsanitized user input to configure the X-Frame-Options or Content-Security-Policy HTTP headers exposes your application to UI redress attacks, commonly known as clickjacking. This vulnerability can be exploited to deceive users into performing unintended actions on your website.

Remediations

• Do set the X-Frame-Options header to "DENY" to prevent your website from being framed by potentially malicious sites.

  $response->headers->set("X-Frame-Options", "DENY");

• Do configure the Content-Security-Policy header with "frame-ancestors 'none'" to disallow embedding of your site's content in iframes, objects, or embed tags on unauthorized websites.

  $response->headers->set("Content-Security-Policy", "frame-ancestors 'none'");

• Do not use user input directly to set these headers without proper sanitization and validation.

References

• OWASP Clickjacking attack explained
• OWASP Clickjacking defense cheat sheet

Associated CWE

• CWE-1021: Improper Restriction of Rendered UI Layers or Frames

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_ui_redress

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_ui_redress