A vulnerability scan has flagged Standalone UiPath Orchestrator as being at risk for Cross Frame Scripting (XSF). How can this vulnerability be mitigated?
Issue Description:
Vulnerability scans run by commercial security software may identify UiPath Orchestrator as being at risk for Cross Frame Scripting (XSF).
Root Cause:
The UiPath Orchestrator install kit (as of 2023.10.1) configures IIS to send the X-Frame-Options header for the "UiPath Orchestrator" website but not the "Identity" child website.
Resolution:
Observe the following from Mozilla and Microsoft on configuring an IIS website to send the X-Frame-Options header:
Note: By default, IIS may be configured to include the X-Frame-Options header in responses from the top-level "UiPath Orchestrator" website in IIS. It may be necessary to also configure the "Identity" website nested underneath "UiPath Orchestrator", especially if audit flags are raised on responses from "https:///identity/" .
Background:
Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user (source).
A website can be at risk of XFS when it fails to send the X-Frame-Options header. The inclusion of this header in Standalone Orchestrator's HTTP responses is controlled by Microsoft's Internet Information Services (IIS) platform on which Standalone Orchestrator is built.