Summary

Acunetix 360 detected that the X-Frame-Options HTTP Response header contains an invalid or not widely supported value.

Impact

A broken X-Frame-Options header will expose your users to UI Readressing attacks like Clickjacking. The attacker will load one of the web pages of a vulnerable application in an iframe on their own website. Then the attacker will overlay the iframe with their own HTML elements, which makes it invisible to the user.

Finally, the attacker will place a button element right over one of the buttons that were loaded inside the iframe, for example, the "Delete Account" button on an "Edit Profile" page. Additionally, the attacker will apply a certain CSS property on their own HTML elements, which has the effect that, if your users try to click on the button of the attackers page, they will actually click the "Delete Account" button in the iframe instead.

The only effective way to prevent this is by blocking other sites from loading your website in an iframe. This is what the X-Frame-Options header does. However, the header will not work as intended when an invalid value is set, which might expose your users to client-side attacks such as Clickjacking.

Additionally, the header might be ineffective for the majority of your users if a poorly supported value, such as ALLOW-FROM is set.

Remediation

Either use the DENY or SAMEORIGIN header value to support the majority of browsers. Additionally, you can define the frame-ancestors Content-Security-Policy directive.

Severity

Low

Classification

CAPEC-103 CWE-693 ISO27001-A.14.2.5 OWASP 2013-A5 OWASP 2017-A6