哪些浏览器容易受到多个 x-frame-options 的影响 [英] what browsers are vulnerable for multiple x-frame-options
问题描述
我正在进行 Web 应用测试,发现多个 x-frame-options 标头条目存在一些漏洞.哪些浏览器容易受到多个 x-frame-options 的影响?
I'm Doing a web app testing and found some vulnerability on having the Multiple x-frame-options header entries. What browsers are vulnerable for multiple x-frame-options?
Multiple x-frame-options 标头条目有哪些可能的攻击?ClickJacking 似乎是一种很难的方法,因为较新的浏览器不可能做到这一点.
What are the attacks possible for the Multiple x-frame-options header entries? ClickJacking seems to be a hard approach since this is not possible with the newer browsers.
推荐答案
根据 RFC7034 [1],允许设置多个同名的消息头.当存在此类消息头时,它们通常被连接在一起 (Firefox),并且浏览器(客户端)会形成一个单独的消息头,因为 RFC 允许这样做.
According to RFC7034 [1], it is allowed to set multiple message-headers with the same name. When such message-headers are present, they are usually concatenated (Firefox) and a single message-header is formed by the browser (client) since that is allowed by the RFC.
可能存在多个具有相同字段名的消息头字段在消息中当且仅当该标头的整个字段值字段被定义为逗号分隔的列表 [即#(values)].它必须可以将多个标题字段合并为一个"field-name: field-value" 对,不改变语义消息,通过将每个后续字段值附加到第一个,每个用逗号分隔.
Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma.
对于消息头 X-FRAME-OPTIONS,只有这 3 个值被认为是有效的;拒绝"、SAMEORIGIN"和允许".这些值是互斥的,这意味着只有这些值应该存在,并且标题中也只能存在其中之一.
For the message-header X-FRAME-OPTIONS, only these 3 values are recognized as valid; "DENY", "SAMEORIGIN" and "ALLOW FROM". These values are mutually exclusive, which means that only these values should be present and also only one of them can be present in the header.
假设服务器设置了 2 个同名的消息头.
Let's say the server sets 2 message-headers with the same name.
HTTP/1.1 200 正常
服务器:nginx/1.11.3
日期:2017 年 5 月 24 日星期三 04:31:29 GMT
内容类型:文本/html;字符集=UTF-8
内容长度:5870
连接:保持连接
X-Frame-Options:拒绝
X-Content-Type-Options: nosniff
X-XSS-保护:1;模式=块
设置-Cookie:JSESSIONID=9F18D25951F107BE4C528CD787A3FE2F;路径=/;安全的;HttpOnly
上次修改时间:2017 年 2 月 2 日星期四 22:41:36 GMT
ETag:带5870-1486075296000"
变化:接受编码
X-Frame-Options:SAMEORIGIN
严格传输安全:max-age=31536000;包含子域
X-Content-Type-Options: nosniff
X-XSS-保护:1;模式=块
HTTP/1.1 200 OK
Server: nginx/1.11.3
Date: Wed, 24 May 2017 04:31:29 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 5870
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=9F18D25951F107BE4C528CD787A3FE2F; Path=/; Secure; HttpOnly
Last-Modified: Thu, 02 Feb 2017 22:41:36 GMT
ETag: W/"5870-1486075296000"
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
请注意,服务器以 2 个 X-FRAME-OPTIONS 消息头响应
Note that the server is responding with 2 X-FRAME-OPTIONS message-headers
X 框架选项:拒绝
X-FRAME-OPTIONS:SAMEORIGIN
X-FRAME-OPTIONS:DENY
X-FRAME-OPTIONS:SAMEORIGIN
在 Firefox(不仅仅是 Firefox)中,这将被浏览器引擎解释为 X-FRAME-OPTIONS:"DENY,SAMEORIGIN".尽管 RFC 允许串联,但由于这些标头值是互斥的,因此浏览器会尝试将 DENY,SAMEORIGIN 解释为一个单一元素,从而导致反点击劫持措施失败.
In Firefox (not just Firefox), this would be interpreted as X-FRAME-OPTIONS:"DENY,SAMEORIGIN" by the browser engine. Since these header values are mutually exclusive despite the concatenation allowed by the RFC, the browser attempts to interpret DENY,SAMEORIGIN as one sngle element and it causes the anti-clickjacking measure to fails.
这是一个很好的博客 [2],它进一步解释了这一点,[3] 谈到了一个类似的问题.
Here's a nice blog [2] which explains this further and [3] speaks of a similar issue.
[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html
[2] https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger
[3] https://wordpress.org/support/topic/multiple-x-frame-options-headers-with-conflicting-values-sameorigin-deny/
希望此信息对您有用.:)
Hope you'll find this info useful. :)
干杯,
米琳达.
Cheers,
Milinda.
这篇关于哪些浏览器容易受到多个 x-frame-options 的影响的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
