Clickjacking in Grape with Cockroachdb

Clickjacking is a client-side attack where an attacker tricks a user into interacting with a hidden or disguised UI element inside an iframe. In a Grape API serving HTML or embedding third-party content, misconfigured HTTP headers can allow the API’s responses to be framed by external pages. When Grape endpoints expose sensitive actions (for example, changing account settings or confirming a transaction) inside an iframe, and those endpoints rely on Cockroachdb for data storage without validating the request origin, an attacker can embed the endpoint in a malicious page and capture unintended user actions.

Grape does not set default anti-clickjacking headers, so developers must explicitly configure frame protection. If a Grape route renders a page or returns HTML that references data from Cockroachdb (e.g., displaying or modifying a user record), and the response lacks a X-Frame-Options or Content-Security-Policy frame-ancestors directive, the page can be embedded anywhere. An attacker could create a page that loads https://api.example.com/user/confirm-email in a hidden iframe and overlay invisible controls, causing the logged-in user’s browser to make authenticated requests to the Grape app. Because Cockroachdb holds the authoritative state (e.g., email confirmation flags), the request will succeed if authentication and authorization checks are insufficient, leading to unauthorized state changes.

In a typical stack, Grape routes query Cockroachdb using a database driver (e.g., pgx). The vulnerability arises not from Cockroachdb itself but from the API surface exposed by Grape and the data it exposes. For example, a GET route that returns sensitive data in an HTML snippet could be framed, and an injected UI can induce a state-changing POST to another route. Because Cockroachdb stores user permissions and confirmation status, an attacker might leverage read data to infer behavior or craft targeted UI overlays. MiddleBrick’s checks for BOLA/IDOR and Unsafe Consumption complement this by identifying whether endpoints enforce proper ownership and whether responses expose sensitive data that could aid clickjacking social engineering.

To mitigate, ensure every response that can be framed sets strict frame-ancestors policies and validate origins on the server side. Combine this with robust authentication and per-request authorization checks against Cockroachdb to ensure a request is intentional and owned by the authenticated subject. Security headers must be applied consistently across all routes, especially those that render HTML or perform state changes, to prevent embedding by external domains.

Remediation centers on HTTP headers and server-side checks before querying Cockroachdb. Below are concrete, working examples for a Grape API using the pgx driver to interact with Cockroachdb.

1. Add anti-clickjacking headers in your Grape API:

class MyAPI < Grape::API
  format :json

  before do
    # Prevent framing by any site
    header['X-Frame-Options'] = 'DENY'
    # Allow framing only by trusted origins (adjust as needed)
    header['Content-Security-Policy'] = "frame-ancestors 'self' https://trusted.example.com;"
  end

  helpers do
    def db
      # Establish a connection to Cockroachdb
      @db ||= PGX.connect(
        host: ENV['COCKROACH_HOST'],
        port: ENV['COCKROACH_PORT'] || 26257,
        user: ENV['COCKROACH_USER'],
        password: ENV['COCKROACH_PASSWORD'],
        database: ENV['COCKROACH_DB'],
        sslcert: ENV['COCKROACH_SSL_CERT'],
        sslkey: ENV['COCKROACH_SSL_KEY'],
        sslrootcert: ENV['COCKROACH_ROOT_CERT']
      )
    end
  end

  resource :users do
    desc 'Show user profile, safely guarded against clickjacking via headers and ownership check'
    params do
      requires :id, type: Integer, desc: 'User ID'
    end
    get ':id' do
      user_id = params[:id]
      # Ownership check before reading from Cockroachdb
      # Assuming current_user is set by your auth layer
      unless current_user&.id == user_id
        error!('Forbidden', 403)
      end

      result = db.exec_params('SELECT id, username, email_confirmation FROM users WHERE id = $1', [user_id])
      not_found! unless result.ntuples.positive?
      result.ntuples.times.map { |i| { id: result[i, 'id'], username: result[i, 'username'], email_confirmation: result[i, 'email_confirmation'] } }.first
    end
  end
end

2. Use parameterized queries to avoid SQL injection and ensure correctness when checking user data from Cockroachdb:

result = db.exec_params('SELECT id, confirmed_at FROM confirmations WHERE user_id = $1 AND action = $2', [user_id, 'email'])
if result.ntuples > 0 && result[0]['confirmed_at'].nil?
  # Safe to mark as confirmed after origin and CSRF checks
end

3. Enforce per-request authorization even when headers are present, because headers alone do not stop a compromised subresource or a malicious browser extension. Validate that the authenticated subject is allowed to perform the action against Cockroachdb state:

unless db.exec_params('SELECT is_owner($1, $2)', [current_user.id, resource_id]).get_value(0, 0)
  error!('Not authorized', 403)
end

4. For HTML endpoints that could be framed, prefer Content-Security-Policy with a restrictive frame-ancestors directive over X-Frame-Options, as CSP is more flexible and future-proof. Ensure your Grape before block sets both during migration, then remove X-Frame-Options once legacy browser support is not required.