I'm Doing a web app testing and found some vulnerability on having the Multiple x-frame-options header entries. What browsers are vulnerable for multiple x-frame-options?
What are the attacks possible for the Multiple x-frame-options header entries? ClickJacking seems to be a hard approach since this is not possible with the newer browsers.
According to RFC7034 [1], it is allowed to set multiple message-headers with the same name. When such message-headers are present, they are usually concatenated (Firefox) and a single message-header is formed by the browser (client) since that is allowed by the RFC.
Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma.
For the message-header X-FRAME-OPTIONS, only these 3 values are recognized as valid; "DENY", "SAMEORIGIN" and "ALLOW FROM". These values are mutually exclusive, which means that only these values should be present and also only one of them can be present in the header.
Let's say the server sets 2 message-headers with the same name.
HTTP/1.1 200 OK
Server: nginx/1.11.3
Date: Wed, 24 May 2017 04:31:29 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 5870
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=9F18D25951F107BE4C528CD787A3FE2F; Path=/; Secure; HttpOnly
Last-Modified: Thu, 02 Feb 2017 22:41:36 GMT
ETag: W/"5870-1486075296000"
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Note that the server is responding with 2 X-FRAME-OPTIONS message-headers
X-FRAME-OPTIONS:DENY
X-FRAME-OPTIONS:SAMEORIGIN
In Firefox (not just Firefox), this would be interpreted as X-FRAME-OPTIONS:"DENY,SAMEORIGIN" by the browser engine. Since these header values are mutually exclusive despite the concatenation allowed by the RFC, the browser attempts to interpret DENY,SAMEORIGIN as one sngle element and it causes the anti-clickjacking measure to fails.
Here's a nice blog [2] which explains this further and [3] speaks of a similar issue.
[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html
[2] https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger
[3] https://wordpress.org/support/topic/multiple-x-frame-options-headers-with-conflicting-values-sameorigin-deny/
Hope you'll find this info useful. :)
Cheers,
Milinda.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 戒情不戒烟 的文章《what browsers are vulnerable for multiple x-frame-》','https://www.manongdao.com/article-905445.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}