Did Not Connect: Potential Security Issue
41 views
Skip to first unread message
Steven Atkinson
Aug 19, 2021, 6:07:49 PM8/19/21
to OWASP ZAP User Group
I'm new to ZAP, and the ZAP HUD.
I think because my site uses these response headers the HUD is DOA:
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
I get big black security warnings instead of the HUD sidebar menus.
Anyone else encountered this>
Steve
Simon Bennetts
Aug 20, 2021, 3:28:46 AM8/20/21
to OWASP ZAP User Group
Hi Steve,
Yeah, that will probably break the HUD.
We already remove CSP so we should do the same for "X-Frame-Options: DENY" as well - I've raised a new issue for this: https://github.com/zaproxy/zap-hud/issues/999
In the meantime you can do this yourself with Replacer rule: https://www.zaproxy.org/docs/desktop/addons/replacer/
Try that and see if it works for you - let us know either way.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages