AnsweredAssumed Answered

Possible Clickjacking Vulnerability

Question asked by Gude Hideki on Jan 30, 2013
Latest reply on Apr 8, 2014 by Dingjie Yang



I've got a scan report today detecting a Possible Clickjacking Vulnerability on my web application.

Even using both preventions suggested from Qualys, the vulnerability still persists:


The response for this request did not have an "X-FRAME-OPTIONS" header present.


Here's the how I implemented X-frame-options:





    <meta charset=utf-8>

<meta http-equiv="X-Frame-Options" content="deny">


And another suggestion was using Framekiller:



if( self == top ) { = 'block' ;
} else {
top.location = self.location ;


I can only test the last one using OWASP tecnique:

Is there any way to check if the X-Frame-Options was implemented correctly?

How Qualys checks this vulnerabilty or suggest some way to do it?

I took this example of bank of america, probably on server side?


Captura de Tela 2013-01-30 às 10.30.43.png





All documents in this website is .html, so I added to web.config this parameters inside system.webServer node:




<clear />

<add name="X-FRAME-OPTIONS" value="DENY" />




Tested on this tool: and works fine.

Is this enough to pass through the scanner again?


Thanks in advance,