Clickjacking in Actix
How Clickjacking Manifests in Actix
Clickjacking attacks in Actix applications exploit the framework's default behavior of serving HTML responses without proper frame-busting protections. When an Actix application serves a web page without appropriate HTTP headers, malicious actors can embed that page within an iframe on their own domains, tricking users into unknowingly interacting with the application.
The vulnerability typically manifests when Actix handlers return HTML content without setting the X-Frame-Options header or Content-Security-Policy frame-ancestors directive. For example, consider a typical Actix handler that serves a user dashboard:
async fn dashboard(req: HttpRequest) -> impl Responder {
HttpResponse::Ok()
.content_type("text/html")
.body("<html>...dashboard content...</html>")
}
This endpoint is vulnerable because it allows any external site to embed the dashboard in an iframe. An attacker could create a malicious page that overlays a transparent iframe of the victim's dashboard, then place deceptive buttons or forms on top. When users click what they believe are legitimate buttons, they're actually interacting with the embedded Actix application.
Actix's middleware system makes this particularly insidious because developers often chain multiple middleware without considering security headers. A common pattern involves using actix-files for static assets combined with custom handlers:
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.wrap(middleware::NormalizePath)
.service(web::resource("/").route(web::get().to(index)))
.service(web::resource("/dashboard").route(web::get().to(dashboard)))
.service(actix_files::Files::new("/static", "./static"))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
The vulnerability becomes more severe when Actix applications handle sensitive operations like financial transactions or administrative functions without proper frame protections. An attacker could create a convincing phishing page that appears to be a legitimate form but actually submits data to the victim's Actix application.
Authentication state compounds the risk. If users are already authenticated to the Actix application, clickjacking can bypass CSRF protections since the malicious iframe inherits the user's session cookies, allowing attackers to perform actions on behalf of the victim without their knowledge.
Actix-Specific Detection
Detecting clickjacking vulnerabilities in Actix applications requires examining both the application code and runtime behavior. The most straightforward detection method involves inspecting HTTP responses for the absence of critical security headers.
Using curl to test a vulnerable endpoint reveals the problem:
curl -I http://localhost:8080/dashboard
A vulnerable response shows headers like:
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
Notice the absence of X-Frame-Options and Content-Security-Policy headers. The presence of these headers would look like:
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
middleBrick's scanning approach specifically targets Actix applications by examining the unauthenticated attack surface. The scanner tests whether Actix endpoints can be embedded in iframes by attempting to load them within a controlled environment and checking for the presence of frame-busting protections.
For Actix applications using middleware, detection must examine the complete middleware chain. A common anti-pattern involves using actix-cors middleware without understanding its security implications:
App::new()
.wrap(Cors::permissive())
.service(web::resource("/api/data").route(web::get().to(get_data)))
This configuration might inadvertently allow cross-origin requests that facilitate clickjacking when combined with other vulnerabilities.
middleBrick's automated scanning identifies these issues by:
- Testing Actix endpoints for iframe embeddability
- Checking for missing X-Frame-Options headers
- Verifying Content-Security-Policy frame-ancestors directives
- Analyzing middleware configurations that might weaken security
The scanner's black-box approach is particularly effective for Actix applications because it doesn't require source code access or credentials—it simply tests the running application's behavior against clickjacking attack patterns.
Actix-Specific Remediation
Remediating clickjacking vulnerabilities in Actix applications involves implementing proper HTTP security headers through middleware and handler configurations. The most effective approach uses Actix's middleware system to ensure consistent header application across all endpoints.
The recommended remediation uses a custom middleware that sets frame-busting headers:
use actix_web::{middleware, web, App, HttpResponse, HttpServer, dev::ServiceRequest, dev::ServiceResponse};
struct FrameProtection;
impl middleware::NewTransform for FrameProtection
where
S: web::HttpServiceFactory,
{
type Transform = FrameProtectionMiddleware;
type InitError = ();
type Future = std::future::Ready<Result<Self::Transform, Self::InitError>>;
fn new_transform(&self, service: S) -> Self::Future {
std::future::ready(Ok(FrameProtectionMiddleware { service }))
}
}
struct FrameProtectionMiddleware {
service: S,
}
impl<S> middleware::Transform<S> for FrameProtectionMiddleware<S>
where
S: Service<ServiceRequest>,
{
type Request = ServiceRequest;
type Response = ServiceResponse;
type Error = S::Error;
type Future = S::Future;
fn poll_ready(&mut self, cx: &mut std::task::Context) -> std::task::Poll<Result<(), Self::Error>> {
self.service.poll_ready(cx)
}
fn call(&mut self, req: ServiceRequest) -> Self::Future {
self.service.call(req)
}
}
impl<S> middleware::Transform<S> for FrameProtectionMiddleware<S>
where
S: Service<ServiceRequest>,
{
type Request = ServiceRequest;
type Response = ServiceResponse;
type Error = S::Error;
type Future = S::Future;
fn poll_ready(&mut self, cx: &mut std::task::Context) -> std::task::Poll<Result<(), Self::Error>> {
self.service.poll_ready(cx)
}
fn call(&mut self, req: ServiceRequest) -> Self::Future {
self.service.call(req)
}
}
fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.wrap(FrameProtection)
.service(web::resource("/dashboard").route(web::get().to(dashboard)))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
A simpler and more practical approach uses Actix's built-in header setting capabilities:
use actix_web::{http, middleware, web, App, HttpResponse, HttpServer};
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.wrap(middleware::NormalizePath)
.wrap(middleware::DefaultHeaders::default()
.header(http::header::X_FRAME_OPTIONS, "DENY")
.header(http::header::CONTENT_SECURITY_POLICY, "frame-ancestors 'none'"))
.service(web::resource("/").route(web::get().to(index)))
.service(web::resource("/dashboard").route(web::get().to(dashboard)))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
For applications that need to serve specific endpoints in iframes (like embedded widgets), use a more granular approach:
async fn public_widget(req: HttpRequest) -> impl Responder {
HttpResponse::Ok()
.set_header(http::header::X_FRAME_OPTIONS, "SAMEORIGIN")
.content_type("text/html")
.body("<html>...widget content...</html>")
}
async fn sensitive_dashboard(req: HttpRequest) -> impl Responder {
HttpResponse::Ok()
.set_header(http::header::X_FRAME_OPTIONS, "DENY")
.set_header(http::header::CONTENT_SECURITY_POLICY, "frame-ancestors 'none'")
.content_type("text/html")
.body("<html>...dashboard content...</html>")
}
The Content-Security-Policy header provides more comprehensive protection than X-Frame-Options alone, as it's supported by modern browsers and offers finer-grained control over what can embed your content.
When using Actix with template engines like handlebars or tera, ensure the template rendering process doesn't override security headers:
async fn profile(req: HttpRequest) -> impl Responder {
let user = get_authenticated_user(&req).await;
let html = render_template("profile", &user);
HttpResponse::Ok()
.set_header(http::header::X_FRAME_OPTIONS, "DENY")
.set_header(http::header::CONTENT_SECURITY_POLICY, "frame-ancestors 'none'")
.content_type("text/html")
.body(html)
}
Testing the remediation involves verifying that the headers are present in responses:
curl -I http://localhost:8080/dashboard
The response should now include:
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
This comprehensive approach ensures Actix applications are protected against clickjacking attacks while maintaining flexibility for legitimate use cases that require iframe embedding.