Clickjacking and UAG

I got an email from a customer and friend, regarding penetration test results on a Microsoft UAG environment.  The report highlighted that Clickjacking is way of tricking web user into revealing confidential information or allowing their computer to be controlled while clicking on seemingly harmless web pages.  Clickjacking can be embedded code or a script that executes without the web users knowledge.

I took this opportunity to learn a bit more about this and found a couple of interesting websites.  It seems that other UAG users have encountered this during penetration testing before, and there is a fix:  http://forums.forefrontsecurity.org/default.aspx?g=posts&m=2788

The following code needs to be added into the UAG login.asp script:

<script type="text/javascript">
if(top != self) top.location.replace(location);
</script>

Adding the code is fine, but I had to find a way of testing the Clickjacking.  I found this site, which allowed me to test the vulnerability:  https://www.codemagi.com/blog/post/196

By creating an HTML page with the following code, and replacing the red text with the URL that you want to test, it will show if the website is vulnerable to Clickjacking:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>You’ve been clickjacked!</p>
<iframe sandbox="allow-scripts allow-forms" src="http://localhost:8080" style="width:100%;height:90%"></iframe>
</body>
</html>

With a little experimentation, I found the best place within the UAG login.asp to put the additional line of code was here:

var capsLockNote = "<%=GetString(111, "Note: The Caps Lock key is on. Passwords are case-sensitive.")%>";

</script>

<script type="text/javascript">

  if(top != self) top.location.replace(location);

</script>

<script language="JavaScript" src="/InternalSite/scripts/capsLock.js"></script>

I have to stress that it may be different on your UAG deployment, so remember to test it works, rather than assume!