Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Frameable response (potential Clickjacking) issue

Brian | Last updated: Feb 22, 2022 04:36PM UTC

I received this issue in a scan with the description saying that 'If a page fails to set an appropriate X-Frame-Options or CSP header.... While I do not have the X-Frame-Options header on this page, I do have a CSP header with frame-ancestors directive set to 'self'. According to MDN, this directive obsoletes the X-Frame-Options for supporting browsers. (We do not support IE11). I verified the CSP header in the response for this issue https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. Is there something more I need to set or is the scanner not checking frame-ancestors directive. We are scanning with Burp Suite Professional V2022.1.1

Liam, PortSwigger Agent | Last updated: Feb 24, 2022 07:03AM UTC

Thanks for your message, Brian. Could you ask how you are observing the response? Would it be possible to share this with us?

Brian | Last updated: Feb 25, 2022 08:03PM UTC

Hi Liam, From the dashboard page, I took a screenshot of the issues and the response where I saw the CSP directives. I tried to paste in this screenshot picture but it looks like I can't in this thread.

Brian | Last updated: Feb 25, 2022 08:11PM UTC

Liam, since it does not look like I can show a screen shot, here is the specifics. I the Burp Application, I clicked the Dashboard tab. One of the panes is titled 'Issue Activity'. In this list I selected the Clickjack issue. Below the Issue Activity, pane, there is another pane with 3 tabs: 'Advisory' 'Request' 'Response'. I clicked the 'Response' tab. At the top of this pane I see this: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 Persistent-Auth: true X-XSS-Protection: 1; mode=block; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self' www.reveillesoftware.com; Access-Control-Allow-Methods: GET, POST, PUT,DELETE, OPTIONS Access-Control-Allow-Headers: Accept, Origin, Content-Type Access-Control-Allow-Credentials: true Date: Tue, 22 Feb 2022 10:52:25 GMT Content-Length: 17764 Note the Content-Security-Policy and the frame-ancestors directive

Liam, PortSwigger Agent | Last updated: Feb 28, 2022 07:54AM UTC

Thanks, Brian. I'll ask our research team to review the information you have sent to asses whether we can improve the scan check. If you ever need to send us a screenshot, you can email us via support@portswigger.net.

hedmondjohn | Last updated: May 23, 2022 07:01AM UTC