Web Application Potentially Vulnerable to Clickjacking

[machkelyamov]

The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different from what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The 'frame-ancestors' policy directive restricts which sources can embed the protected resource.

Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. Read more about what Clickjacking is: https://www.synopsys.com/glossary/what-is-clickjacking.html#:~:text=Clickjacking%20is%20an%20attack%20that,describes%20what%20is%20going%20on.
Output:
The following pages do not use a clickjacking mitigation response header and contain a clickable event :

• http://10.11.10.115:9091/

[beorn7]

Thanks for the report.

I think we should solve this consistently across the Prometheus ecosystem because it affects all web UIs (i.e. also Prometheus server and Alertmanager).

A problem I could see is that some users do want to put the UI into an iframe.

Note that you can already set an X-Frame-Options header via the --web.config.file flag, see https://github.com/prometheus/pushgateway#tls-and-basic-authentication (and ultimately https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md , search for "X-Frame-Options" on that page).

So maybe this is already working as intended, as in: If you are in a situation where you need to set X-Frame-Options, you already can?

[machkelyamov]

Thanks for the report.

I think we should solve this consistently across the Prometheus ecosystem because it affects all web UIs (i.e. also Prometheus server and Alertmanager).

A problem I could see is that some users do want to put the UI into an iframe.

Note that you can already set an X-Frame-Options header via the --web.config.file flag, see https://github.com/prometheus/pushgateway#tls-and-basic-authentication (and ultimately https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md , search for "X-Frame-Options" on that page).

So maybe this is already working as intended, as in: If you are in a situation where you need to set X-Frame-Options, you already can?

Thanks for the report.

I think we should solve this consistently across the Prometheus ecosystem because it affects all web UIs (i.e. also Prometheus server and Alertmanager).

A problem I could see is that some users do want to put the UI into an iframe.

Note that you can already set an X-Frame-Options header via the --web.config.file flag, see https://github.com/prometheus/pushgateway#tls-and-basic-authentication (and ultimately https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md , search for "X-Frame-Options" on that page).

So maybe this is already working as intended, as in: If you are in a situation where you need to set X-Frame-Options, you already can?

Thank you for your response.
We are using docker-compose, could you please tell me how we can fix it there?

[beorn7]

I'm not a docker-compose expert, but generally, you need to pass in the flag --web.config.file=my_web_config.yml somehow, and then of course also add your my_web_config.yml to the container in the usual way.

[beorn7]

I'll convert this into a discussion, as it indeed seems to "work as intended". If you believe the current behavior is not sufficient, please raise a bug in https://github.com/prometheus/exporter-toolkit , as this is where all Prometheus projects get their web serving capabilities from.