Scribd Logo
Upload

Welcome to Scribd!

  • CLICKJACKING: X-Frame-options Header Not Set: Description

    Uploaded by

    Røshäñ Çhôùdhäry
    44 views2 pages

    Original Title

    x-frame

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    44 views2 pages

    CLICKJACKING: X-Frame-options Header Not Set: Description

    Uploaded by

    Røshäñ Çhôùdhäry

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    CLICKJACKING: X-Frame-options Header Not Set

    DESCRIPTION
    Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious
    technique of tricking a Web user into clicking on something different from what the user
    perceives they are clicking on, thus potentially revealing confidential information or taking
    control of their computer while clicking on seemingly innocuous web pages.

    The server didn't return an X-Frame-Options header which means that this website could be
    at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to
    indicate whether or not a browser should be allowed to render a page inside a frame or
    iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not
    embedded into other sites.

    What could a determined hacker do with a clickjacking attack?


     Trick users into turning on their web-cam or microphone
     Spread worms on social media sites
     Harvest login credentials

    OWASP Clickjacking
    Remediation: OWASP Clickjacking defence

    This is intended to provide guidance for developers on how to defend against Clickjacking,


    also known as UI redress attacks.

    There are three main mechanisms that can be used to defend against these attacks:

     Preventing the browser from loading the page in frame by using the X-Frame-
    Options or Content Security Policy (frame-ancestors) HTTP headers.

     Preventing session cookies from being included when the page is loaded in a frame
    using the SameSite cookie attribute.

     Implementing JavaScript code in the page to attempt to prevent it being loaded in a


    frame (known as a "frame-buster").
     Defending with X-Frame-Options Response Headers

    The X-Frame-Options HTTP response header can be used to indicate whether or not a


    browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to
    avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set
    the X-Frame-Options header for all responses containing HTML content.

    There are three possible values for the X-Frame-Options header:

     DENY, which prevents any domain from framing the content. The "DENY" setting is
    recommended unless a specific need has been identified for framing.

     SAMEORIGIN, which only allows the current site to frame the content.

     ALLOW-FROM URL, which permits the specified 'URL' to frame this page.
    (e.g., ALLOW-FROM http://www.example.com).
     Check limitations below because this will fail open if the browser does not
    support it.

     Other browsers support the new CSP frame-ancestors directive instead. A few


    supports both.

    Implementation

    To implement this protection, you need to add the X-Frame-Options HTTP Response header


    to any page that you want to protect from being clickjacked via frame busting. One way to do
    this is to add the HTTP Response Header manually to every page. A possibly simpler way is
    to implement a filter that automatically adds the header to every page or to add it at Web
    Application Firewall of Web/Application Server level.

    You might also like