Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.
Need help with X-Frame-Options response header configuration - IIS8
I am trying to fix a vulnerability found during a penetration scan. I need to correct the X-Frame-Options response header and set it to DENY so that the webpage is unable to be opened in a frame. I found this page:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
That says to add this to the <system.webServer> section.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
to my web.config file. It looked straightforward enough, so I found that section and added that to the web.config file and still getting the alert when I run the penetration test after the change was made.
I need to know if there is something else I need to do in order for this to be set correctly.
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
That says to add this to the <system.webServer> section.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
to my web.config file. It looked straightforward enough, so I found that section and added that to the web.config file and still getting the alert when I run the penetration test after the change was made.
I need to know if there is something else I need to do in order for this to be set correctly.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
I also found this and the header is currently set to DENY, please advise:
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
Click OK to save your changes.
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
Click OK to save your changes.
In my experience, this section needs to be added in the applicationhost.config file rather than the web.config. This is also a better approach because web.config changes can be overwritten easily as new versions of applications are deployed unless good source control practises are in place.
You can follow the instructions above using the GUI tool or you can run the following PowerShell script on the server (as Administrator).
You can follow the instructions above using the GUI tool or you can run the following PowerShell script on the server (as Administrator).
$Header = 'X-Frame-Options'
$Value = 'SAMEORIGIN'
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/httpProtocol/customHeaders' -name '.' -value @{name=$Header;value=$Value}
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I checked the values in the GUI following the instructions and it shows the value set to DENY. Not sure if this is working as the test I run (OWASP ZAP) is still showing that this is not set correctly. Would running the above script produce a different result?
You have to remember that IIS configuration is hierarchical and it can be sometimes difficult to work out which settings have been applied.
Roughly speaking it goes like this:
machine.config -> root web.config -> applicationhost.config -> web.config
The GUI tool will always choose to write configuration into the most specific location it can (normally the web.config but sometimes the applicationhost.config if that section is "locked"). You can see this in the window status bar (bottom left hand side) when you are in features view.
It will be either:
If you remove an entry that has been applied at a server level then IIS will write a remove in the web.config which is represented by the setting not showing in the GUI. In this case running the script above would not help because more specific settings take precedence.
It might well be that you have a setting in the web.config to remove the header. You will need to check the appropriate section in your web.config file to see whether this is the case.
If there is nothing in the system.webServer/httpProto
Hope that makes sense.
Carl
Roughly speaking it goes like this:
machine.config -> root web.config -> applicationhost.config -> web.config
The GUI tool will always choose to write configuration into the most specific location it can (normally the web.config but sometimes the applicationhost.config if that section is "locked"). You can see this in the window status bar (bottom left hand side) when you are in features view.
It will be either:
Configuration: 'web site name' web.config
Configuration: 'localhost' applicationhost.config
Configuration: 'localhost' applicationhost.config <location path = 'web site name'>
If you remove an entry that has been applied at a server level then IIS will write a remove in the web.config which is represented by the setting not showing in the GUI. In this case running the script above would not help because more specific settings take precedence.
It might well be that you have a setting in the web.config to remove the header. You will need to check the appropriate section in your web.config file to see whether this is the case.
If there is nothing in the system.webServer/httpProto
Hope that makes sense.
Carl
The above information helped me achieve the desired response, that is, the form will not allow a frame to be called for the page(s) in question. My issue now is that OWASP still flags this as it is not working and I am trying to figure out why this is happening.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2007… 229 lessons
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.