CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
扩展描述
A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data
说明: An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings.
潜在缓解措施
阶段: Implementation
阶段: Implementation
阶段: Implementation
描述: This defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the "frame-ancestors" directive or the "frame-src" directive to mitigate this weakness. Both directives allow for the placement of restrictions when it comes to allowing embedded content.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2017-7440
E-mail preview feature in a desktop application allows clickjacking attacks via a crafted e-mail message
参考: CVE-2017-5697
Hardware/firmware product has insufficient clickjacking protection in its web user interface
参考: CVE-2017-4015
Clickjacking in data-loss prevention product via HTTP response header.
参考: CVE-2016-2496
Tapjacking in permission dialog for mobile OS allows access of private storage using a partially-overlapping window.
参考: CVE-2015-1241
Tapjacking in web browser related to page navigation and touch/gesture events.
参考: CVE-2017-0492
System UI in mobile OS allows a malicious application to create a UI overlay of the entire screen to gain privileges.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
技术
关键信息
CWE ID: CWE-1021
抽象级别: Base
结构: Simple
状态: Incomplete