Clickjacking: X-Frame-Options header missing
漏洞描述
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
X-Frame-Options HTTP 响应头, 可以指示浏览器是否应该加载一个iframe中的页面。iframe之后可做透明层劫持点击
漏洞影响
存在该漏洞的web应用程序可能会被点击劫持
漏洞属性
CWECWE-693
CVSS 分值: 6.8 — AV:N/AC:M/Au:N/C:P/I:P/A:P
访问向量: 网络
访问复杂性: 中
身份验证: 无
保密性影响: 局部
完整性影响: 局部
可用性影响: 局部
应对策略
网站可以通过设置X-Frame-Options阻止站点内的页面被其他页面嵌入从而防止点击劫持
漏洞修复
APACHE配置httpd.conf,添加 Header always append X-Frame-Options DENY ,重启apache
NGINX修改nginx.conf,添加 add_header X-Frame-Options "DENY";
IIS修改web.config,<add name="X-Frame-Options" value="DENY" />
大数据精准营销总结:珍爱生命,禁止iframe,防止点击劫持!
济南往网站建设,精准营销领导者!
云优网络,网站建设领导者!
www.sdyunyou.com
KEYWORDS
漏洞 点击劫持 Clickjacking iframe X-Frame-Options