Burp Suite User Forum

Create new post

Missing legal value in "Frameable responce (potential Clickjacking)"

Alf-Ivar | Last updated: Dec 10, 2015 03:36PM UTC

The "Remediation detail" claims: "The X-Frame-Options header should only have one of the expected values: DENY or SAMEORIGIN." That used to be the case, but today even: "ALLOW-FROM <url>" is allowed, as described in the Mozilla-page under References. According to OWASP ALLOW-FROM has been around since 2012: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2 The caution mentioned in the OWASP article is valid, but the current "Issue detail" is not true: "The response contains an X-Frame-Options header with an unexpected value. Browsers will ignore this header and allow the response to be framed." Regards, Affi

PortSwigger Agent | Last updated: Dec 16, 2015 11:44AM UTC

Thanks for this feedback. It is our understanding that not all current browsers support the ALLOW-FROM value - e.g. Chrome does not support this. When an unexpected value is received, browsers default to allowing framing from anywhere. Assuming this is correct, perhaps we should update Burp to add some wording in this situation saying that the ALLOW-FROM value is not supported by all browsers, and so the response is still vulnerable?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.