X-Frame-Options Setting Malformed

X-Frame-Options is an HTTP response header which indicates if a page could be embeddable in an iframe element. If the X-Frame-Options setting is malformed it means the page can be embedded in an iframe on any other page and thus makes it vulnerable to a clickjack attack. To see why it’s dangerous let’s imagine that a social media like Facebook has a malformed X-Frame-Options setting:

1. The attacker creates a website that somehow tempts you to click a button there (like “click here to see more” etc.).
2. A link to the malicious website is spread by means of Facebook
3. When a Facebook user clicks the link the attacker would perform the crucial step: embed an invisible iframe with a Facebook “like it” button (since it is not prevented due to malformed X-Frame-Options setting!) and place it on top of the “click here to see more” button of the malicious website.
4. The unconscious Facebook user tries to hit the “click here to see more” button while in fact he clicks the “like it” button.

Although clicking unwillingly “like it” button doesn’t seem to be a disaster yet but think what would happen if instead of simple “like it” click a message to all user’s Facebook contacts was sent or if instead of Facebook we would consider a banking site and a “transfer money” button.

Verify if your web page always uses valid values for X-Frame-Options header. The valid values are: DENY, SAMEORIGIN. The obsolete value is ALLOW-FROM and should not be used as many browsers do not support it.

ScanRepeat looks for the X-Frame-Options header and validates its value.