web vulnerability - missing X-Frame-Options header

Vulnerability description

• The X-Frame-Options HTTP response header can indicate whether the browser should load a page in an iframe . Websites can prevent clickjacking by setting X-Frame-Options to prevent pages within the site from being embedded in other pages.

• It is an attack method that is highly confusing, moderately difficult to use, and has a single attack method.

Vulnerability hazard

• When the X-Frame-Options HTTP response header is missing, the attacker can forge a page that uses front-end technology to carefully construct some buttons and pictures to tempt users to click. Below this element is an iframe tag. When the user clicks, the upper layer element, it is equivalent to clicking on the web page introduced by the iframe tag.

Authentication method

If the target exists, the verification method is as follows

curl -I http://target

The X-Frame-Options response header is not present (a vulnerability exists).

HTTP/1.1 200 OK
Server: nginx/1.12.1 (Ubuntu)
Date: Mon, 16 Apr 2018 07:48:51 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sun, 08 Apr 2018 02:41:44 GMT
Connection: keep-alive
ETag: "5ac98168-264"
Accept-Ranges: bytes

The X-Frame-Options response header is present (no vulnerability exists).

HTTP/1.1 200 OK
Server: nginx/1.12.1 (Ubuntu)
Date: Mon, 16 Apr 2018 07:52:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sun, 08 Apr 2018 02:41:44 GMT
Connection: keep-alive
ETag: "5ac98168-264"
X-Frame-Options: SAMEORIGIN
Accept-Ranges: bytes

Reinforcement plan

Configure WebServer , change configuration files, add custom response headers

There are three optional values ​​using X-Frame-Options:

1. DENY: The browser refuses to load any Frame pages for the current page
2. SAMEORIGIN: The address of the frame page can only be a page under the same origin domain name
3. ALLOW-FROM: origin is the page address that allows the frame to be loaded

If the website uses iframe tags to link to source resources, it needs to be set to SAMEORIGIN.

Apache

To configure Apache to send the X-Frame-Options response header on all pages, add the following line to the site configuration:

Header always append X-Frame-Options SAMEORIGIN

Nginx

Configure nginx to send the X-Frame-Options response header and add the following line to the http configuration:

add_header X-Frame-Options SAMEORIGIN;

IIS

To configure IIS to send the X-Frame-Options response header, add the following configuration to the Web.config file:

<system.webServer>
  ...
 
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
 
  ...
</system.webServer>

Tomcat

Add the following configuration in conf/web.xml:

C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\web.xml

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>