Skip to content
English - United States
Contact us
  • There are no suggestions because the search field is empty.

Incident Report 072321 - X-Frame header not set

ANALYSIS RESULTS

Below is the complete analysis and results.

SUMMARY OF REPORT

Customers is US Commercial region identified a security vulnerability that could cause framesniffing and clickjacking issues in VIDIZMO website.

It was reported that the VIDIZMO website does not include use of X-FRAME-OPTIONS which is recommended in setting up websites where user interaction is required for one-click authentication.

ID
Identified Vulnerability
Description
VUL-04
"X-Frame-Options" Not Set
The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication.

FINDINGS

Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website.

Clickjacking is a malicious technique to trick a web user into clicking on something different from what the user actually perceives, which can infect a machine with malware that potentially reveals confidential information or takes control of the user's computer and/or Username.

Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a ,

VIDIZMO offers as part of its default features. VIDIZMO provides security update to resolve this vulnerability based on special conditions (if required) as per customers' security needs.

TOOLS

For the execution of this project, the most up-to-date versions of the following tools and components associated with them were used:

Tool
Description
Browser Developer Tools
Every modern web browser includes a powerful suite of developer tools. These tools do a range of things, from inspecting currently-loaded HTML, CSS and JavaScript to showing which assets the page has requested and how long they took to load. This article explains how to use the basic functions of your browser's devtools.
URL Rewrite Module
URL Rewrite is an extension for IIS web server and allows Web administrators to easily build powerful rules using rewrite providers written in .NET, regular expression pattern matching, and wildcard mapping to examine information in both URLs and other HTTP headers and IIS server variables.

LINE OF ACTION AND ASSOCIATED TIMELINES

The following table outlines actions performed and their schedule to remediate security issues and vulnerabilities.

ID
Identified Vulnerability
Identification Date
Incident Resolution Date (Start to End)
VUL-04
"X-Frame-Options" Not Set
July 03 2021
July 07 2021 - July 09 2021

REMEDIATION PROCEDURE

Below is the detail about actions performed to remove security vulnerabilities.

Vulnerability Identification
VUL-04 - "X-Frame-Options" Not Set
Description of Vulnerability
The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication.
Remediation Action
Created an outbound rewrite rule in IIS that matches given host URL and rewrites additional HTTP header. See links to Reference 1, Reference 2, Reference 3, Reference 4, Reference 5, Reference 6, Reference 7

DETAIL OF VULNERABILITIES

This section provides complete detail of vulnerabilities identified during the assessment procedure.

Vulnerability ID: VUL-04"X-Frame-Options" Not Set
Description of Vulnerability The use of X-FRAME-OPTIONS is recommended in setting up websites where user interaction is required for one-click authentication.
Organizational Risk Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack. Clickjacking is a malicious technique to trick a web user into clicking on something different from what the user actually perceives, which can infect a machine with malware that potentially reveals confidential information or takes control of the user's computer and/or Username.