NEWS

资讯

改变创造价值
用户体验至上

常见漏洞之X-Frame-Options header missing

TIME:2019-05-06 HITS:289

Clickjacking: X-Frame-Options header missing    

漏洞描述

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.  

 The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. 

X-Frame-Options HTTP 响应头, 可以指示浏览器是否应该加载一个iframe中的页面。iframe之后可做透明层劫持点击 


漏洞影响 存在该漏洞的web应用程序可能会被点击劫持 


漏洞属性 CWECWE-693 

CVSS 分值:  6.8 — AV:N/AC:M/Au:N/C:P/I:P/A:P 

访问向量: 网络 

访问复杂性: 中 

身份验证: 无 

保密性影响: 局部 

完整性影响: 局部 

可用性影响: 局部 


应对策略 

网站可以通过设置X-Frame-Options阻止站点内的页面被其他页面嵌入从而防止点击劫持 


漏洞修复 

APACHE配置httpd.conf,添加 Header always append X-Frame-Options DENY ,重启apache 

NGINX修改nginx.conf,添加 add_header X-Frame-Options "DENY"; 

IIS修改web.config,<add name="X-Frame-Options" value="DENY" />


大数据精准营销总结:珍爱生命,禁止iframe,防止点击劫持!


济南往网站建设,精准营销领导者!

云优网络,网站建设领导者!


www.sdyunyou.com


   


                                                                   KEYWORDS

                                                                   漏洞 点击劫持 Clickjacking iframe X- 

                                                                   Frame-Options

  • 热门资讯