Clickjacking in Cockroachdb

Clickjacking in Cockroachdb typically occurs when the database's web-based administrative interface is exposed without proper frame-busting protections. Cockroachdb's admin UI, which runs on port 8080 by default, can be embedded in an invisible iframe on a malicious website, tricking users into unknowingly executing administrative actions.

A common attack pattern involves creating a malicious page that loads the Cockroachdb admin UI in a tiny, zero-pixel iframe. The attacker then overlays convincing UI elements (like buttons or forms) that align with the admin interface's controls. When victims click what they believe is a legitimate button, they're actually interacting with the Cockroachdb admin console—potentially dropping tables, deleting data, or modifying permissions.

Cockroachdb's admin UI is particularly vulnerable because it uses HTTP cookies for authentication. Once a user authenticates to the admin UI, their session remains active, allowing attackers to perform actions within the user's authenticated context. This becomes especially dangerous in enterprise environments where administrators might have elevated privileges.

The vulnerability is exacerbated when Cockroachdb instances are deployed without proper network segmentation. Many organizations expose the admin UI to the internet for convenience, not realizing that without frame-busting headers, these interfaces become prime targets for clickjacking attacks. The issue is compounded by Cockroachdb's rich administrative capabilities—an attacker who successfully clickjacks an admin UI session can potentially execute SQL commands, view query plans, or even trigger backups and restores.

Another manifestation involves the Cockroachdb's HTTP endpoints that accept SQL queries. If these endpoints lack proper CSRF protection and are accessible via iframe, attackers can craft pages that submit malicious SQL queries when users interact with seemingly benign elements on the malicious page.

Detecting clickjacking vulnerabilities in Cockroachdb requires both automated scanning and manual verification. The middleBrick CLI provides specialized detection for this issue:

middlebrick scan http://your-cockroachdb:8080

The scan specifically checks for missing X-Frame-Options headers and Content-Security-Policy frame-ancestors directives. middleBrick also attempts to load the admin UI in an iframe to verify if framing is possible, then tests for common clickjacking indicators like missing frame-busting JavaScript.

For manual verification, you can test your Cockroachdb instance using these methods:

# Check HTTP response headers using curl or httpiehttp http://your-cockroachdb:8080 
| grep -E "(X-Frame-Options|Content-Security-Policy)"

Look for these specific headers that prevent clickjacking:

• X-Frame-Options: DENY or SAMEORIGIN
• Content-Security-Policy: frame-ancestors 'none' or 'self'
• X-Content-Security-Policy: frame-ancestors 'none'

Additionally, examine your Cockroachdb configuration files for admin UI settings. In cockroach.yaml:

adminui:
  port: 8080
  https_only: true
  use_canonical_address: false

The middleBrick dashboard provides historical tracking of your security posture, allowing you to monitor whether clickjacking protections remain in place over time. The Pro plan's continuous monitoring can alert you if these headers are accidentally removed during deployments.

For enterprise deployments, middleBrick's compliance reporting maps clickjacking protections to relevant standards like PCI-DSS (requirement 6.5.10) and SOC2, helping demonstrate due diligence to auditors.

Remediating clickjacking vulnerabilities in Cockroachdb involves multiple layers of protection. The most effective approach combines HTTP header configuration with network-level controls.

First, configure your Cockroachdb instance to serve the admin UI only over HTTPS and with proper framing restrictions. In your cockroach.yaml configuration:

adminui:
  port: 8443
  https_only: true
  use_canonical_address: true
  http_headers:
    X-Frame-Options: DENY
    Content-Security-Policy: frame-ancestors 'none'

If you're using a reverse proxy in front of Cockroachdb (recommended for production), add these headers at the proxy level:

server {
    listen 443 ssl;
    server_name cockroachdb.example.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location / {
        add_header X-Frame-Options DENY always;
        add_header Content-Security-Policy "frame-ancestors 'none'" always;
        add_header X-Content-Type-Options nosniff always;
        add_header X-XSS-Protection "1; mode=block" always;
        
        proxy_pass http://cockroachdb_internal:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

For organizations that need to access the admin UI from specific internal applications, use SAMEORIGIN instead of DENY:

add_header X-Frame-Options SAMEORIGIN always;

Network segmentation provides an additional defense layer. Configure your firewall to only allow admin UI access from specific IP ranges:

# iptables exampleiptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

For containerized deployments, add security headers in your Docker compose:

version: '3.8'services:
  cockroachdb:
    image: cockroachdb/cockroach:latest
    command: start --http-port=8080
    ports:
      - "8080:8080"
    security_opt:
      - no-new-privileges:true
    read_only: true

middleBrick's GitHub Action can automatically scan your Cockroachdb admin UI during CI/CD pipelines, failing builds if clickjacking protections are missing. This ensures that security configurations aren't accidentally removed during development cycles.