X-Frame-Options alert on 403 and 404 pages
713 views
Skip to first unread message
Cash Williams
Apr 14, 2015, 3:54:51 PM4/14/15
to zaprox...@googlegroups.com
Running against a Drupal site, I'm seeing alerts for "X-Frame-Options Header Not Set". Looking at these pages, these are all 403 and 404 pages that are returned via Apache using .htaccess.
Does it make sense to alert on these?
If No, should ZAP not report on them?
If Yes, what am I missing as I'm not sure how lacking this header would be used in an attack.
Simon Bennetts
Apr 15, 2015, 4:14:13 AM4/15/15
to zaprox...@googlegroups.com
I agree, it doesnt make much sence :)
I've raised an issue for this: https://code.google.com/p/zaproxy/issues/detail?id=1600
Anyone disagree?
Cheers,
Simon
I've raised an issue for this: https://code.google.com/p/zaproxy/issues/detail?id=1600
Anyone disagree?
Cheers,
Simon
kingthorin+owaspzap
Apr 15, 2015, 8:31:55 AM4/15/15
to zaprox...@googlegroups.com
I think it would depend on the content of the 403 and 404, which we can't really predict ahead of time.
If it's a custom 403 or 404 there could still be something worth clickjacking or carrying out another type of framing attack on.
I guess this is also something we could handle via threshold. Medium/Low ignore various error response types, High/Insane then alert on them.....
If it's a custom 403 or 404 there could still be something worth clickjacking or carrying out another type of framing attack on.
I guess this is also something we could handle via threshold. Medium/Low ignore various error response types, High/Insane then alert on them.....
Simon Bennetts
Apr 15, 2015, 8:43:17 AM4/15/15
to zaprox...@googlegroups.com
+1
Reply all
Reply to author
Forward
0 new messages