flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Petr Nemecek" <p...@cmail.cz>
Subject Qualys scan/X-Frame-Options
Date Tue, 04 Mar 2014 18:29:36 GMT
Hi all,

one of our clients run Qualys scan on our app. The only finding was see
below. The html file is the file that is automatically generated by Flash
Builder during the compilation.

I assume I will have to add some code into the html. Any idea how to cope
with that automatically? I.e. not to have to edit the html manually whenever
I export a new release.	

Many thanks,
 Petr

************************************
URL: https://www.abc.de/app/app.html
Finding # 326356057 First Time Detected 15 Feb 2014 04:07 GMT+0200
Group Information Disclosure Last Time Detected 15 Feb 2014 04:07 GMT+0200
CWE - Last Time Tested 15 Feb 2014 04:07 GMT+0200
OWASP - Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
Threat
The page can be easily framed. Anti-framing measures are not used.
Impact
Clickjacking and Cross-Site Request Forgery (CSRF) can be performed by
framing the target site. An attack can trick the user into clicking on the
link by framing
the original page and showing a layer on top of it with dummy buttons.
Solution
Two of the most popular prevention are: X-Frame-Options: This header works
with modern browsers and can be used to prevent framing of the page. Note
that is
must be an HTTP header, the setting is ignored if it is created as an
"http-equiv" meta element within the page. Framekiller: JavaScript code that
prevents the
malicious user from framing the page.
************************************


Mime
View raw message