Bypassing the X-Frame-Options header
The X-Frame-Options header is a security measure that prevents your website from being embedded in an <iframe> on third-party websites. Thus, enabling X-Frame-Options in HTTP response headers prevents malicious users from exploiting a vulnerability called clickjacking.
So, Clickjacking is an attack that tricks a user into clicking on an element on a web page that is invisible or disguised as another element. This can result in users unintentionally downloading malware, visiting malicious pages, providing credentials or sensitive information, transferring money, or purchasing products online.
Typically, attackers perform clickjacking by displaying an invisible page or HTML element inside an iframe. The user believes they are clicking on the visible page, but they are actually clicking on an invisible element on the additional page that is layered on top of it.
The invisible page could be a malicious page or a legitimate page that the user did not intend to visit — for example, a page on the user’s bank website that authorizes money transfers.
A site protected from clickjacking contains the X-Frame-Options HTTP response header set to deny or sameorigin, making it impossible for other sites to render it in an iframe. For example, the Redbull site pictured below.
There is a way to bypass this protection if CORS (Cross-origin resource sharing) is not properly configured. For this to happen, we need to add some Javascript scripts to our page that contains the iframe. This script can be found on this GitHub .
<script type=”module” src=” https://unpkg.com/x-frame-bypass “></script>
<script src=” https://unpkg.com/@ungap/custom-elements-builtin “></script>
Now, just reload our page, and the iframe will be working, as in the image below.
Developers must keep their application’s CORS (Cross-origin Resource Sharing) well configured to prevent attackers from exploiting the clickjacking vulnerability.
If you want to understand more about the topic, get in touch with Resh.
