X-Frame-Options test and how to inspect the code
785 views
Skip to first unread message
Albert Z
Jul 9, 2015, 11:54:39 AM7/9/15
to zaprox...@googlegroups.com
To learn more about how the tests work I would like to inspect the code. In this case the X-Frame-Options test.
I am using ZAP 2.4.0.
The test identifies that the X-Frame-Options header is not set. This is a correct finding.
However, it only finds it on *.css and *.js file responses. The files that contain html are not listed in the results of this test. However on the html pages the X-Frame-Options header is also missing. That makes me wonder what the test is doing. Is it looking for a combination of headers?
However, it only finds it on *.css and *.js file responses. The files that contain html are not listed in the results of this test. However on the html pages the X-Frame-Options header is also missing. That makes me wonder what the test is doing. Is it looking for a combination of headers?
To increase my understanding I would like to look through the test code. I know the code is on GitHub, but where do I navigate to to find the code of each test?
Simon Bennetts
Jul 9, 2015, 12:21:26 PM7/9/15
to zaprox...@googlegroups.com, albert....@gmail.com
The locations of the rules are linked of the 'Hacking ZAP' blog series:
- http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-3-passive-scan-rules.html
- http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html
The X-Frame-Options rule is here: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/pscanrules/XFrameOptionScanner.java
Cheers,
Simon
Albert Z
Jul 10, 2015, 2:29:52 PM7/10/15
to zaprox...@googlegroups.com, albert....@gmail.com
Thank you very much.
Upon reading the code and scrutinizing the scan results, it turns out the css and js responses vastly outnumber the html responses, hence the html responses were hard to find among the more than 200 findings for this test.
Reply all
Reply to author
Forward
0 new messages