• State Not Answered
  • Replies replies
    4
  • Subscribers subscribers
    17
  • Views views
    356
  • Users 0 members are here
Related Discussions
Options

Cross-Frame Scripting ( 11293 )

Zh Xu

This error occurred when we used WebInspect(21.1.0) scan.

We have tried two methods, but still cannot fix it, is this a false alarm?

1.We added the request header X-Frame-Options  and set DENY.

2.We added the request header X-Frame-Options: SAMEORIGIN  and content-security-policy: frame-ancestors 'self'.

Tags:

  • 0
    WebInspect flags in three cases:

    1. Response does not have X-Frame-Options header with either Deny or SAMEORIGIN value.
    2. Response does not have Content-Security-Policy with frame-ancestors attribute set. Attribute with value * or allowing scheme level access (e.g. http , https, data etc would result in flagging the vulnerability)
    3. Response does not have frame-busting logic present

    In some instances, WI isn't always able to detect #3 because the logic to do so relies on script execution. This script execution is run in a sandbox as we know what we are doing will break the browser state. XFS detection relies on a response from the script server. If it does not receive a response it will flag. Unfortunately, this has been known to cause some false positives.

  • 0

    Thank you, but after I add the script, the site will no longer allow iframe windows.

  • 0

    Thank you, but after I add the script, the site will no longer allow the iframe window?

  • 0
    in reply to Zh Xu

    It should not prevent the page from loading an iFrame, but prevent the page from being included in an iFrame.

    A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.