ADM Click Jack Vulnerability: X-Frame-Option/ Content-Security-Policy's frame ancestor entry missing
Article ID: CTX249864
Updated On:
Description
Vulnerability scanner detecting HTTP Click-Jacking vulnerability on the ADM management IP as the response from the ADM is missing the X-Frame-Options or the Content-Security-Policy’s frame ancestor option. 
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Resolution
In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the ADM builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :
Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html
If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :
Configuration :
And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :
Result :
To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
- To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.
Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html
If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :
Configuration :
And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :
Result :
To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
Problem Cause
Missing the X-Frame-Options or the Content-Security-Policy’s frame ancestor option.Additional Information
Was this article helpful?
Yes
No
Powered by
