Vulnerability description
-
The X-Frame-Options HTTP response header can indicate whether the browser should load a page in an iframe . Websites can prevent clickjacking by setting X-Frame-Options to prevent pages within the site from being embedded in other pages.
-
It is an attack method that is highly confusing, moderately difficult to use, and has a single attack method.
Vulnerability hazard
- When the X-Frame-Options HTTP response header is missing, the attacker can forge a page that uses front-end technology to carefully construct some buttons and pictures to tempt users to click. Below this element is an iframe tag. When the user clicks, the upper layer element, it is equivalent to clicking on the web page introduced by the iframe tag.
Authentication method
If the target exists, the verification method is as follows
curl -I http://target
The X-Frame-Options response header is not present (a vulnerability exists).
HTTP/1.1 200 OK
Server: nginx/1.12.1 (Ubuntu)
Date: Mon, 16 Apr 2018 07:48:51 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sun, 08 Apr 2018 02:41:44 GMT
Connection: keep-alive
ETag: "5ac98168-264"
Accept-Ranges: bytes
The X-Frame-Options response header is present (no vulnerability exists).
HTTP/1.1 200 OK
Server: nginx/1.12.1 (Ubuntu)
Date: Mon, 16 Apr 2018 07:52:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sun, 08 Apr 2018 02:41:44 GMT
Connection: keep-alive
ETag: "5ac98168-264"
X-Frame-Options: SAMEORIGIN
Accept-Ranges: bytes
Reinforcement plan
Configure WebServer , change configuration files, add custom response headers
There are three optional values using X-Frame-Options:
- DENY: The browser refuses to load any Frame pages for the current page
- SAMEORIGIN: The address of the frame page can only be a page under the same origin domain name
- ALLOW-FROM: origin is the page address that allows the frame to be loaded
If the website uses iframe tags to link to source resources, it needs to be set to SAMEORIGIN.
Apache
To configure Apache to send the X-Frame-Options response header on all pages, add the following line to the site configuration:
Header always append X-Frame-Options SAMEORIGIN
Nginx
Configure nginx to send the X-Frame-Options response header and add the following line to the http configuration:
add_header X-Frame-Options SAMEORIGIN;
IIS
To configure IIS to send the X-Frame-Options response header, add the following configuration to the Web.config file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Tomcat
Add the following configuration in conf/web.xml:
C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>