AnsweredAssumed Answered

Possible Clickjacking Vulnerability

Question asked by Gude Hideki on Jan 30, 2013
Latest reply on Apr 8, 2014 by Dingjie Yang

Hello,

 

I've got a scan report today detecting a Possible Clickjacking Vulnerability on my web application.

Even using both preventions suggested from Qualys, the vulnerability still persists:

 

The response for this request did not have an "X-FRAME-OPTIONS" header present.

 

Here's the how I implemented X-frame-options:

 

<!DOCTYPE HTML>

<html>

    <head>

    <meta charset=utf-8>

<meta http-equiv="X-Frame-Options" content="deny">

 

And another suggestion was using Framekiller:

 

<script>

if( self == top ) {
document.documentElement.style.display = 'block' ;
} else {
top.location = self.location ;
}
</script>

 

I can only test the last one using OWASP tecnique: https://www.owasp.org/index.php/Testing_for_Clickjacking_%28OWASP-CS-004%29

Is there any way to check if the X-Frame-Options was implemented correctly?

How Qualys checks this vulnerabilty or suggest some way to do it?

I took this example of bank of america, probably on server side?

 

Captura de Tela 2013-01-30 às 10.30.43.png

 

 

 

EDIT:

All documents in this website is .html, so I added to web.config this parameters inside system.webServer node:

 

<httpProtocol>

<customHeaders>>

<clear />

<add name="X-FRAME-OPTIONS" value="DENY" />

</customHeaders>

</httpProtocol>

 

Tested on this tool: https://mozsecworld.org/msw/x_frame_options/demo/ and works fine.

Is this enough to pass through the scanner again?

 

Thanks in advance,

Gude.

 


Outcomes