Security Testing: Security Headers - X-Frame-Options
Recently, I wrote an HTML Code to learn about HTML Attributes.
<a href="https://www.google.com">Google</a>
</br>
</br>
<a href="https://www.youtube.com" target="_blank">Youtube</a>
I have written this on CodePen website, which is an online code editor tool.
When I clicked on Youtube link, It has opened the Youtube website on a new tab in the browser as target attribute has been set to blank.
When I clicked on Google Link, as the target attribute is not added. It should open the Google Website in the same results page.
But, I observed the result page shows: www.google.com refused to connect.
As part of the investigation, I have opened F12 - Chrome Web Developer Tools and Navigated to Console.
Observed: "X-Frame-Options" is set to "SameOrigin" and refused to display "www.google.com"
Security Concepts:
Also, I have checked the Network Tab with Oewrbm resource name.
The reason because not all browsers support info for the X-Frame-Options header.
I usually refer to this website "https://securityheaders.com" to analyze the security headers.
Ran the URL: https://codepen.io/srinivasskc/pen/Oewrbm on the security headers webpage.
References:
https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
https://www.whitehatsec.com/blog/x-frame-options/
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
https://erlend.oftedal.no/blog/tools/xframeoptions/
<a href="https://www.google.com">Google</a>
</br>
</br>
<a href="https://www.youtube.com" target="_blank">Youtube</a>
I have written this on CodePen website, which is an online code editor tool.
When I clicked on Youtube link, It has opened the Youtube website on a new tab in the browser as target attribute has been set to blank.
When I clicked on Google Link, as the target attribute is not added. It should open the Google Website in the same results page.
But, I observed the result page shows: www.google.com refused to connect.
As part of the investigation, I have opened F12 - Chrome Web Developer Tools and Navigated to Console.
Observed: "X-Frame-Options" is set to "SameOrigin" and refused to display "www.google.com"
Security Concepts:
Also, I have checked the Network Tab with Oewrbm resource name.
The reason because not all browsers support info for the X-Frame-Options header.
I usually refer to this website "https://securityheaders.com" to analyze the security headers.
Ran the URL: https://codepen.io/srinivasskc/pen/Oewrbm on the security headers webpage.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe.
References:
https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
https://www.whitehatsec.com/blog/x-frame-options/
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
https://erlend.oftedal.no/blog/tools/xframeoptions/
