2

  1. X-Frame-Options HTTP header is used to tell if a webpage is allowed to be used in a frame/iframe.

  2. Frames can be used for click-jacking/UI-redress attacks.

  3. It is advised to set X-Frame-Options to 'DENY' to prevent page being used for click-jacking.

But, is it not possible for the attacker to tamper the headers (especially with no SSL) OR provide his own page-that-mimicks-the-original-page into the frame?

Maybe it is useful when the user is logged in to the original site and the attacker's frame displays a personalized page from the original site to convince the user. But, I suppose a dedicated attacker can mimick that too.

What can you tell about x-frame-options as a security feature and cautions when using it?

Xfce4
  • 121
  • 1
  • 1
    If the attacker can MitM you, they don't need to clickjack anymore, obviously. – Polygnome Nov 16 '20 at 18:22
  • @Polygnome Thank you. By mimicking I did not mean MitM only. I mostly meant mimicking (i.e. copy-pasting) the HTML code of your site into theirs, which is not so complicated I suppose. Am I missing something? – Xfce4 Nov 17 '20 at 07:59
  • That was in relation to the "is it not possible for the attacker to tamper the headers (especially with no SSL)" part. If the attacker can tamper with the request, click-jacking is the least of your concerns. Similarly, phishing is a different attack, although both are somewhat related. – Polygnome Nov 17 '20 at 09:09
  • The point is that the user is already authorized on the page. If you can employ clickjacking and make them click something they shouldn't have, they issue that request fully authorized (if they are logged in on the target page). – Polygnome Nov 17 '20 at 09:14
  • @Polygnome Ah right. The attacker might try to exploit features of the original site that are only available when logged in. You can't have the same result with phishing in this case. Thank you. – Xfce4 Nov 17 '20 at 20:58

0 Answers0