Lets learn "What is XFO (X-Frame Options)?"

-


In this tutorial , We'll be discussing on XFO (X-Frame Options) . Actually XFO is not a vulnerability , it is just an optional attributed in response header of any server response . But missing of XFO in response header might create a loophole for hackers to attack on the websites .


Lets first know about the important term Clickjacking .

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Let's understand this ...
If any user want to load another website on his on web page (a part of it) , one of the possible solutions is using i-frame tag in html . Click on any button/link from the website loaded in the iframe
can also send cookies(corrosponding to the loaded website) with the request . Now let us take an example , suppose you have logged in to the bank website ,so its session cookies are stored in web browser . Suppose there is a button on bank website used to transfer money to an account from current logged in account and the link on buttons is :
https://www.onlinebank.com/send?to=acc_no_where_to_send&amount=amt_to_send
Now if a hacker make a web page , load the bank website in an i-frame such that amount transfer button is in the window of i-frame . The hacker applied a canvas just above the transfer button , and an canvas says "CLICK TO SEE THE MAGIC" . When any user clicks on the canvas , it actually clicking on the button below the canvas which trigger the amount transfer request without letting know to user .

This is known as Clickjacking .

So the main problem caused if XFO is not there in the response header, is Clickjacking .
If there is X-Frame options in the response header , the web browser prevent to load the website in an i-frame on any web site and thus preventing clickjacking .



In the above picture X-Frame-Options : SAMEORIGIN is there in response. It means that iframe will load website only the webpage where iframe is there is of same origin (having the same domain) . https://www.abc.com can load in iframe contained in https://www.sellers.abc.com .

Remediation
Configure your web server to include an X-Frame-Options header. Consult Web references for more information about the possible values for this header.

Hope now you understand what XFO is , what problems can be caused if there is missing XFO , and how to solve the problems .

For any problems or queries , please comment below .

Stay tuned for upcoming tutorials .
Till Then
HAPPY HACKING !!

Comments

Post a Comment

Popular posts from this blog

Lets learn "About kube proxy in iptables mode"

-
Image
In this tutorial, we'll learn about the Kube-proxy in iptables mode. Basically, we'll see how Kube-proxy create iptables that help in load balancing and service discovery. If you are not familiar with Linux IPTables I would recommend to check out my tutorial on IPTables here  first and then come back to read this tutorial. Kube-proxy Kube-proxy when running in iptables mode basically watch kube-apiserver for new endpoints and create corresponding iptables rules and iptables are fully responsible for service discover and proper routing of traffic to corresponding pods. Kube-proxy needs to run on all k8s worker nodes. Below is a small video describing the working of kube-proxy in iptables mode.  src:  https://www.slideshare.net/CJCullen/kubernetes-networking-55835829 Now that we know what Kube-proxy is and how it Kube-proxy works, let deep dive into the types of iptables Kube-proxy adds to the firewall. Kube-proxy added IPTables To learn this let's consider an example. Cons...
Read more

Lets learn "System design for paste bin (or any text sharing website)"

-
Image
  In this tutorial, we'll learn about the system design for PasteBin. If you don't know what Pastebin is here goes its definition. Pastebin is a type of online content hosting service where users can store texts to share with others over the internet.  Pastebin system design requirements  Functional Basic - User should be able to paste the text, generate the link and share the link with other users. There should be the max size of the text that our system will support (say 10Mb) Users should be able to provide the custom URL path for the link created. Like if a user wants to create the links  www.pb.com/letlearn, he can give this URL and pastebin should create a link using this URL to share with others. The link or paste expiry feature should be there for each stored text. There can be default expiry time say 1 year but this should be configurable. Personalization means the user should be able to login to track all the pastes created by him and manage them. Non-Funct...
Read more

Lets learn "What is CDN?"

-
Image
  In this tutorial, we'll learn about What is CDN ( Content delivery network ) and how it works. Introduction Whenever you access any website on your mobile phone or laptop or any other device using the internet connection, you must have seen for some of the websites the pages load quickly, and for others, it takes considerably more time. Why is that?  Basically loading any website requires the data needs to be downloaded from the server where that particular website is hosted. For e.g, if you are accessing a website in Canada which is hosted on a server in India, it will take some time due to the latency but if that website is hosted on servers in Canada itself it will take less time to load due to low latency. So internet experience can be bad for some of the websites when clients and servers are separated by a long distance. One could argue that why not host the website on servers in all regions but that would increase the cost a lot. The better solution is to use CDN. Let'...
Read more