Task #12587
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_CDB - Missing "X-Frame-Options" Header [LOW]
| Status: | Closed - End of life cycle | Start date: | November 10, 2021 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Penetration Test Issue | Spent time: | - | |
| Target version: | - |
Description
If a page fails to set an appropriate X-Frame-Options header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions. Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.
Solution provoded by LGMS :
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.
'Affected URL:
Related issues
History
#1
Updated by Najmi Pasarudin almost 3 years ago
- Status changed from New - Begin Life Cycle to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 0 to 100
Please refer sc4.png at Task 12584
#2
Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from Internal Testing to System Integration Test
#3
Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#4
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to System Integration Test
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.
#5
Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from System Integration Test to Closed - End of life cycle
Closed for this and refer new 2023/2024 pentest report