DEV Community

Cover image for X-Frame-Options header explained
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

X-Frame-Options header explained

X-Frame-Options is one of the HTTP headers that is added by the web server when responding to a user request.

The header can take one of two values - DENY or SAMEORIGIN. If X-Frame-Options is not defined, the result is that our page can be rendered in frame, iframe, embed or object tags.

Possibilities to use the lack of a header

Due to the lack of a header and the possibility of embedding the page on other sites, users are vulnerable to click-jacking attacks. This is a technique where users click on elements that are not visible to them. An example scenario might look like the following:

  1. a user gets a link in his email inbox stating that unfavorable photos of him have been shared online on a specified site
  2. the unaware target clicks on the suspicious link
  3. the page asks if his email is: victim@gmail.com
  4. the user confirms the whole thing with the "yes" button

At this point, there is an invisible element in place of the button, which, when clicked, activates javascript, further sharing the false message on Facebook. This is one of many ways to take advantage of the lack of a header.

More examples?

In one of his posts, user asurti6783 describes how it was possible to take over a user's account. In a nutshell:

Pentester found a bug that when a user entered two consecutive links, a prepared script was called. Since it is unlikely that a user would enter the first link first and then swap the URI for the second, he looked for an alternative. It noticed that the X-Frame-Options header was missing. He then prepared a script that, upon entering the attacker's site, would load the page in the background and then switch from the first link to the second. This way it would be able to take over, for example, the user's cookies if he was only logged in.

Still not enough? Here, a user presented a potential attack on users browsing the forum with the following payload, inserted in subsequent posts.

<iframe src=http://x.x.x.x/index.html”></iframe>
Enter fullscreen mode Exit fullscreen mode

The scenario was that when a user accesses a post, the above code loads the content from the page with the "src" attribute, and then a script is called on the attacker's page, ultimately intended to take over the user's account.

Sources

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options\
https://github.com/asurti6783/writeups/blob/main/bug.md\
https://medium.com/@irounakdhadiwal999/stored-iframe-injection-csrf-account-takeover-42c93ad13f5d

Top comments (0)