Cross-Frame Scripting
Posted: Wed Jun 26, 2013 12:35 pm
We had an audit in our company and they came up with following risk in nagios xi currently used in our environment.
Is there anything form your side to be done to remidiate this risk.
Cross-Frame Scripting
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.Clickjacking The goal of a Clickjacking attack is to deceive the victim user into interacting with UI elements of the attackers choice on the target web site without her knowledge and in turn executing privileged functionality on the victims behalf. To achieve this goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page to overlap with those on the page targeted in the attack, the attacker can ensure that the victim is forced to interact with the UI elements on the target page not visible to the victim.
Is there anything form your side to be done to remidiate this risk.
Cross-Frame Scripting
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.Clickjacking The goal of a Clickjacking attack is to deceive the victim user into interacting with UI elements of the attackers choice on the target web site without her knowledge and in turn executing privileged functionality on the victims behalf. To achieve this goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page to overlap with those on the page targeted in the attack, the attacker can ensure that the victim is forced to interact with the UI elements on the target page not visible to the victim.