Download Netsparker
Pricing
Blog
Contact
Netsparker

Missing X-Frame-Options Header Detected on Target Web Application

Netsparker detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

Impact

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

Remedy

  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.

Remedy References

External References


Go back to the Complete list of Vulnerability Checks.