This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Vulnerable to clickjacking

Hey All,

I have a weird one.

We have 2 UTMs, both running 9.705-3 doing WAF for Exchange Server deployed per the KB - https://support.sophos.com/support/s/article/KB-000038003?language=en_US

Everything is working fine, but we are renewing our annual security test including a PenTest
One of these is showing as vulnerable to clickjacking and one is not

I have gone through the config side by side and both look identical, i cant figure it out. 

The links offered up by the PenTest software are: 

http://www.nessus.org/u?399b1f56
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

But i can't find a way to insert these headers. 

If i test with https://www.lookout.net/test/clickjack.html one does load the page (which it shouldn't) and one does not load the page denying the connection (which should be the behaviour) so something isn't set correctly, its just where to change it

Can anyone shove me in the right direction?



This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    Standard questions:  On the one working correctly, do you see the block in the WAF log or in the Intrusion Prevention log?  Have you tried restoring a recent config backup on the bad guy? Have you tried re-booting?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi and welcome to the UTM Community!

    Standard questions:  On the one working correctly, do you see the block in the WAF log or in the Intrusion Prevention log?  Have you tried restoring a recent config backup on the bad guy? Have you tried re-booting?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • There is no block happening, and that is the problem. 

    I have not tried a reboot or a config restoration. I did restart apache however, no dice. 

  • Where is the block in the unit that behaves correctly?  This will be a clue to avoid the following...

    My usual suggestion would be to try the following, in order, on the misbehaving unit until the problem disappears:

    1. Restore a config backup.
    2. Reboot.
    3. Re-image from ISO and restore.

    Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA