Preventing iFrame injection in web app


There is an issue that an malicious attacker can inject iframes within the app so that the iframe can have a source to an external application that is outside of the parent app’s domain.

Ex: Lets consider the app to be hosted at https://app.com/. The attacker could inject an iframe that will contain a source to https://malicious.com/

In this case, we have to prevent any iFrames injected in our app that can point to a domain that is different from ours. To fix this issue, add the following header in the response for each request

X-Frame-Options : SAMEORIGIN

This is done by the following ways in MVC

web.config file

<system.webServer>

<httpProtocol>

<customHeaders>

<add name=”X-Frame-Options” value=”SAMEORIGIN” /> </customHeaders> </httpProtocol>

</system.webServer>

Application Start in Global.asax.cs

protected void Application_Start()
{
    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s