Views:

Applies to Product – Microsoft Dataverse


What’s happening?
There is a possibility of clickjacking in Dynamics 365 model driven applications, where an attacker can trick a user into performing actions that are masked and hidden from the user's view. This vulnerability allows attackers to create fraudulent transactions or perform unauthorized actions using Dynamics 365 HTML code.


Reason:
The application is vulnerable to clickjacking due to the lack of proper security headers that restrict the usage of the application within overlays, frames, or iframes.


Resolution:
To mitigate the clickjacking vulnerability, the following steps should be taken:

  1. Implement the X-Frame-Options security header to prevent the application from being embedded in iframes on untrusted sites. Add X-Frame-Options: DENY or SAMEORIGIN to HTTP responses.
  2. Enable the Content Security Policy (CSP) in the organization settings to restrict embedding to trusted domains. Detailed instructions for enabling CSP can be found in the documentation for Content Security Policy - Power Platform. Use Content-Security-Policy: frame-ancestors 'none'; for broader browser support.
  3. Disable Iframing Where Not Needed. Avoid embedding Dynamics 365 pages in iframes unless explicitly required and secured.
  4. Use HTTPS and Strong TLS. Ensure all Dynamics 365 endpoints are served over HTTPS with modern TLS configurations.
  5. Regular Security Assessments. Conduct penetration testing and review headers using tools like browser dev tools or security scanners
  6. Educate Developers. Promote awareness of UI redress attacks and secure coding practices among customization teams.