Recently ran a WebInspect scan of a small app I'm working on and it returned a critical level warning: Cross-Frame Scripting.
I confirmed the vulnerability by using iframes with the app in the src. It showed up (I am behind several firewalls, but still wanted to fix this STAT).
So I edit the config for Apache with these headers (then restarted the service):
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection “1; mode=block”
Go back to my simple test page (iframe with src=myapp) and the app no longer appears in the iframe. Mission accomplished, no? No.
A subsequent WebInspect scan is still reporting a critical Cross-Frame Scripting vulnerability.
Are there ways of defeating Apache XSS protections (above) that I am missing? Or is WebInspect specifically looking for something on the client side?
Aucun commentaire:
Enregistrer un commentaire