[go: nahoru, domu]
Skip to content

Commit

Permalink
Report x-frame-options as being deprecated in favor of CSP
Browse files Browse the repository at this point in the history
  • Loading branch information
@sullo
sullo committed Dec 30, 2023
1 parent b25a36b commit 7e3eae4
Showing 1 changed file with 3 additions and 20 deletions.
23 changes: 3 additions & 20 deletions program/plugins/nikto_headers.plugin
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,38 +147,21 @@ sub nikto_headers_postfetch {
}

# Look for X-Frame-Options
if (!$XFRAME{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
if (!$XFRAME{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'} && $result->{'whisker'}->{'code'} == 200) {
if (defined $result->{'x-frame-options'}) {
if ($result->{'x-frame-options'} =~ /^ALLOW-FROM/) {
my $allowed = $result->{'x-frame-options'};
$allowed =~ s/^.* //g;
add_vulnerability(
$mark,
$request->{'whisker'}{'uri'}
. ":X-Frame-Options header is set to allow framing from $allowed. This does not have full cross-browser support (only in IE and Firefox) and may lead to the header being ignored.",
. ":X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead.",
999978,
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
$request->{'whisker'}->{'method'},
$request->{'whisker'}->{'uri'},
$request,
$result
);
}
}
else {
add_vulnerability(
$mark,
$request->{'whisker'}{'uri'}
. ": The anti-clickjacking X-Frame-Options header is not present.",
999957,
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
$request->{'whisker'}->{'method'},
$request->{'whisker'}->{'uri'},
$request,
$result
);
$XFRAME{ $mark->{hostname} }{ $mark->{port} } = 1;
}
$XFRAME{ $mark->{hostname} }{ $mark->{port} } = 1;
}

# Incapsula WAF
Expand Down

0 comments on commit 7e3eae4

Please sign in to comment.