X-Frame-Options Header未設(shè)置
廣告:
X-Frame-Options Header未設(shè)置 (Clickjacking: X-Frame-Options header missing)
Severity: low
Type: Configuration
CWE:CWE-693 :Protection Mechanism Failure
Description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious te chnique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of t heir computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at ris k of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whe ther or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other si tes.
Impact
The impact depends on the affected web application.
Recommendation
Configure your web server to include an X-Frame-Options header. Consult Web references for more information about the possible values for this header.
References
The X-Frame-Options response header
Clickjacking
OWASP Clickjacking
Defending with Content Security Policy frame-ancestors directive
Frame Buster Buster
Affected items
1.Impact target:Web Server
details:
No details are available. request:
GET / HTTP/1.1
Host: demo.53bk.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chr ome/41.0.2228.0 Safari/537.21
Accept: */* response: HTTP/1.1 200 OK Server: Tengine
Date: Thu, 18 May 2017 09:12:19 GMT Content-Type: text/html; charset=gb2312
Content-Length: 16477
Cache-Control: public, max-age=561
Expires: Thu, 18 May 2017 09:21:40 GMT
Last-Modified: Thu, 18 May 2017 07:20:00 GMT X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
防止某些重要網(wǎng)頁被其他網(wǎng)站框架導(dǎo)入,可以給頁面增加X-Frame-Options響應(yīng)頭
asp
<%
response.AddHeader "X-Frame-Options","Deny"
%>
Asp.Net
Response.AddHeader("X-Frame-Options", "Deny");
PHP
header('X-Frame-Options:Deny');
X-Frame-Options響應(yīng)頭可用值有
DENY:瀏覽器拒絕當(dāng)前頁面加載任何Frame頁面
SAMEORIGIN:frame頁面的地址只能為同源域名下的頁面
ALLOW-FROM:origin為允許frame加載的頁面地址
如果確認(rèn)你整個(gè)網(wǎng)站都不能被框架,可以直接設(shè)置web服務(wù)器,增加X-Frame-Options響應(yīng)頭。IIS如下圖所示,增加http頭
http頭名: X-Frame-Options
http頭值: SAMEORIGIN
廣告:
