Security Testing: Security Headers - X-Frame-Options

By -
Recently, I wrote an HTML Code to learn about HTML Attributes.

 <a href="https://www.google.com">Google</a>
</br>
</br>
<a href="https://www.youtube.com" target="_blank">Youtube</a>

 I have written this on CodePen website, which is an online code editor tool.

 When I clicked on Youtube link, It has opened the Youtube website on a new tab in the browser as target attribute has been set to blank.

 When I clicked on Google Link, as the target attribute is not added. It should open the Google Website in the same results page.

 But, I observed the result page shows: www.google.com refused to connect.

 As part of the investigation, I have opened F12 - Chrome Web Developer Tools and Navigated to Console. 

 Observed: "X-Frame-Options" is set to "SameOrigin" and refused to display "www.google.com"


Security Concepts:
Also, I have checked the Network Tab with Oewrbm resource name.

The reason because not all browsers support info for the X-Frame-Options header.

 I usually refer to this website "https://securityheaders.com" to analyze the security headers.

 Ran the URL: https://codepen.io/srinivasskc/pen/Oewrbm on the security headers webpage.




The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe.

 References: 
https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options

 https://www.whitehatsec.com/blog/x-frame-options/

 https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md

 https://erlend.oftedal.no/blog/tools/xframeoptions/
Location: Bengaluru, Karnataka, India

Popular Posts

JMeter Producing Error: Windows RegCreateKeyEx(...) returned error code 5

By -
After running JMeter.bat on Command Line, Problem java.util.prefs.WindowsPreferences <init> WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs at root 0x80000002. Windows RegCreateKeyEx(...) returned error code 5. Cause Environment Resolving the problem The error occurs because java.util.prefs.WindowsPreferences is trying to save information in HKEY_LOCAL_MACHINE\Software\JavaSoft\Prefs instead of under HKEY_CURRENT_USER\Software\JavaSoft\Prefs. Windows 7 64-bit The work around is to Open JMeter.bat file as the administrator and so it creates the key HKEY_LOCAL_MACHINE\Software\JavaSoft\Prefs.
Read more

Understanding about Contract Testing

By -
Image
Yesterday Morning (9th May 2020), I had good discussion with  Sundaresan  Krishnaswami on " Contract Testing ". I thank  Sundaresan   for his time and sharing his knowledge. It started with an example: The Owner provides the house or Place of Residence to the Tenants. "Rent Agreement" is provided for the house and It contains agreement to use the house. The house comes with like kitchen, living room, bed room, fans, geysers etc.. It also contains who resides and what is the contractual period, obligation (money) etc.. Here, Owner is the Server and Tenant is Client.                                         Client-Server Architecture. Illustrating the same in the E-Commerce Context: In Some Development Companies, There can be two teams developing the Payments and Orders APIs. In B2B or B2C Ecommerce applications, we place an order using web browser through payment methods and Order is created. Order is successful only when Payment is successful. In general, Payments te
Read more