- What is CWE-1021?
- The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
- What CVEs are caused by CWE-1021?
- 186 recorded CVEs are attributed to CWE-1021, including CVE-2023-41897, CVE-2024-10004, CVE-2022-3167.
- How do you prevent CWE-1021?
- The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content.
- How is CWE-1021 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1021?
- Exploiting CWE-1021 can lead to: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data.
- Is CWE-1021 actively exploited?
- 186 recorded CVEs are caused by CWE-1021; none are currently in CISA's KEV catalog of actively exploited flaws.