webMethods Knowlegebase : Cross-Frame Scripting vulnerability in CentraSite. (1752901)

Problem

A security team recently ran a WebInspect scan on against a CentraSite server. HP WebInspect is an application security testing software for assessing security of Web applications and Web services. The WebInspect scan revealed a high vulnerability item, "Cross-Frame Scripting". The detailed info on this vulnerability is below. Is your management or development team aware of this issue, and what is their response?

Summary:

A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.

Clickjacking: The goal of a Clickjacking attack is to deceive the victim user into interacting with UI elements of the attacker’s choice on the target web site without her knowledge and in turn executing privileged functionality on the victim’s behalf. To achieve this goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page to overlap with those on the page targeted in the attack, the attacker can ensure that the victim is forced to interact with the UI elements on the target page not visible to the victim.

Implication:

A Cross-Frame Scripting weakness could allow an attacker to embed the vulnerable application inside an iframe. Exploitation of this weakness could result in:

. Hijacking of user events such as keystrokes.

. Theft of sensitive information.

. Execution of privileged functionality through combination with Cross-Site Request Forgery attacks.