Burp Suite User Forum

Login to post

Frameable response (potential Clickjacking) issue

Brian | Last updated: Feb 22, 2022 04:36PM UTC

I received this issue in a scan with the description saying that 'If a page fails to set an appropriate X-Frame-Options or CSP header.... While I do not have the X-Frame-Options header on this page, I do have a CSP header with frame-ancestors directive set to 'self'. According to MDN, this directive obsoletes the X-Frame-Options for supporting browsers. (We do not support IE11). I verified the CSP header in the response for this issue https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. Is there something more I need to set or is the scanner not checking frame-ancestors directive. We are scanning with Burp Suite Professional V2022.1.1

Liam, PortSwigger Agent | Last updated: Feb 24, 2022 07:03AM UTC

Thanks for your message, Brian. Could you ask how you are observing the response? Would it be possible to share this with us?

Brian | Last updated: Feb 25, 2022 08:03PM UTC

Hi Liam, From the dashboard page, I took a screenshot of the issues and the response where I saw the CSP directives. I tried to paste in this screenshot picture but it looks like I can't in this thread.

Brian | Last updated: Feb 25, 2022 08:11PM UTC

Liam, since it does not look like I can show a screen shot, here is the specifics. I the Burp Application, I clicked the Dashboard tab. One of the panes is titled 'Issue Activity'. In this list I selected the Clickjack issue. Below the Issue Activity, pane, there is another pane with 3 tabs: 'Advisory' 'Request' 'Response'. I clicked the 'Response' tab. At the top of this pane I see this: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Persistent-Auth: true X-XSS-Protection: 1; mode=block; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self' www.reveillesoftware.com; Access-Control-Allow-Methods: GET, POST, PUT,DELETE, OPTIONS Access-Control-Allow-Headers: Accept, Origin, Content-Type Access-Control-Allow-Credentials: true Date: Tue, 22 Feb 2022 10:52:25 GMT Content-Length: 17764 Note the Content-Security-Policy and the frame-ancestors directive

Liam, PortSwigger Agent | Last updated: Feb 28, 2022 07:54AM UTC

Thanks, Brian. I'll ask our research team to review the information you have sent to asses whether we can improve the scan check. If you ever need to send us a screenshot, you can email us via support@portswigger.net.

hedmondjohn | Last updated: May 23, 2022 07:01AM UTC

X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking. http://net-informations.com/js/iq/default.htm

You need to Log in to post a reply. Or register here, for free.