UTM Vulnerable to clickjacking

Question

Hey All, 
 I have a weird one. 
 We have 2 UTMs, both running 9.705-3 doing WAF for Exchange Server deployed per the KB - https://support.sophos.com/support/s/article/KB-000038003?language=en_US 
 Everything is working fine, but we are renewing our annual security test including a PenTest One of these is showing as vulnerable to clickjacking and one is not 
 I have gone through the config side by side and both look identical, i cant figure it out. 
 The links offered up by the PenTest software are: 
 http://www.nessus.org/u?399b1f56 https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet 
 But i can't find a way to insert these headers. 
 If i test with https://www.lookout.net/test/clickjack.html one does load the page (which it shouldn't) and one does not load the page denying the connection (which should be the behaviour) so something isn't set correctly, its just where to change it 
 Can anyone shove me in the right direction?

vAdmin · Accepted Answer

Ok, found it after stitching together multiple other threads on the topic. 
 
 Firstly: THIS IS NOT A SUPPORTED CONFIG FROM SOPHOS. YOU DO SO AT YOUR OWN RISK. Secondly: THIS IS NOT A SUPPORTED CONFIG. You will be making backend changes and if you don't know what you are doing, bail out now Thirdly: It is likely to be reset upon a webUI change, firmware upgrade or reboot of the device. You will need to recheck on both of these conditions to ensure it remains in place 
 Also, just because you patch the Sophos unit doesn't solve your issue. These headers also need to be set on the backend servers (aka the "real webservers"). 
 Take a backup of your ENTIRE config before proceeding. 
 Edit: /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf Under each VHost you want to fix, find this line: RequestHeader set X-Forwarded-Proto https 
 Directly under that line without amending it, add these lines: Header always set X-Frame-Options "DENY" Header always set Content-Security-Policy "frame-ancestors 'none'" 
 Save the file 
 Restart the service by running: /var/mdw/scripts/reverseproxy restart 
 You can also insert the lines to /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf to do global protection if you were so keen. 
 Retest your config to ensure everything works as expected 
 ???? 
 Profit! / Go to the pub

FormerMember · Answer

Hi vAdmin , 
 Thanks for reaching out to the Community! 
 I would suggest you check if there's any DNAT rule for the service/port that got detected in the scan. 
 Thanks,

UTM Vulnerable to clickjacking

Top Replies