Hello everybody,
I opened a case #20905 on spring boot but they ask me to explain the issue here on spring security.
I am trying to analyze our applications for vulnerabilities by using owasp-zap and it reports me that x-frame-option is missing. Our developers are using spring boot 2.2, and they show me that by default spring security activates it as you can see on the image below
but in the HTTP response when analyzing, it seems that it didn't recognize the x-frame-option parameter which has been set because it doesn't appear:
Content-Type: text/html
Content-Length: 3860
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Accept-Ranges: bytes
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
X-Content-Type-Options: nosniff
Content-Language: en-US
Strict-Transport-Security: max-age=31536000
When I check the official documentation,
I don't know if the problem can be the indentation between .headers() and .frameOptions() . I don't know if we are missing something to activate it properly or if it's a bug.
Comment From: jzheaux
Hi, @pitsoleil, happy to help. The indentation itself shouldn't change the behavior. What I'm more interested in is you appear to be using Spring Security and Spring Security OAuth together.
Would you be able to produce a minimal sample that demonstrates the issue?
Comment From: pitsoleil
Hi @jzheaux ,
thank you for your reply. Truthfully speaking, I am not sure that I get what you are asking and I don't think that I can also reproduce a sample as you need because I am not a developer. I only show you what our dev reported to us about the x-frame-option.
When I analyzed our application, the tool reported me that the x-frame-option was not configured as you can see on the http response, no sign of it:
Content-Type: text/html
Content-Length: 3860
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Accept-Ranges: bytes
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
X-Content-Type-Options: nosniff
Content-Language: en-US
Strict-Transport-Security: max-age=31536000
So, when i reported it back to our developers, they showed me that configuration which was already set by default. Personally, I didn't know that spring security and spring security oauth were different and how they work. I was surprised to see the activation line of .frameOption() which seems to be not considered by the applications.
I don't know how to use spring and what is configured on their side. So, all I can do is to ask them what you need to know if it can help.
thank you for your time.
Comment From: rwinch
Thanks. As mentioned, x-frame-options is enabled by default with Spring Security. In order to help we need a sample that reproduces the issue. We will await a sample from your development team.
Comment From: pitsoleil
Hi @rwinch ,
thank you and sorry for the late answer. We were still investigating for a solution and finally, we decide to change the configuration by using this official link asking to configure it as below:
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers(headers -> headers
.frameOptions(frameOptions -> frameOptions
.sameOrigin()
)
);
}
}
Now when using owasp-zap to analyze the headers, it can fetch some responses with the x-frame option activated but it seems that the option doesn't appear on all the headers.
Comment From: rwinch
I'd look to see if you have Spring Security setup to ignore certain requests. Look for something like:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring()
.antMatchers("/foo/**");
}
Without a complete sample I cannot be of much more help.
Comment From: pitsoleil
Hello @rwinch ,
Thank you for your reply.
By sample, do you need to see how exactly it's configured on our side? if it's the case, I can ask if I can have it.
I would like to know if you need us to replace the code that you gave us with the one that is already set on our spring. Or you need us to just add the one you provided. Sorry because I am not a developer, it's a little hard for me to get properly what you need me to do.
Thanks again
Comment From: rwinch
I need something I can use to reproduce your issue.
If you are looking for help configuring vs reporting a bug, then as mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.
Comment From: pitsoleil
Hi @rwinch ,
Sorry for my lat answer. Finally, by using this another configuration below provided by the official link, the x-frame option is detected properly.
``` @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers(headers -> headers .frameOptions(frameOptions -> frameOptions .sameOrigin() ) ); }} ```
So it means that it was a misconfiguration and not a bug. Thank you for your time and assistance.
Comment From: rwinch
Thanks for following up and glad you solve the problem @pitsoleil