Web Application Potentially Vulnerable to Clickjacking

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.

Synopsis :

The remote web server may fail to mitigate a class of web application

Description :

The remote web server does not set an X-Frame-Options response header
or a Content-Security-Policy 'frame-ancestors' response header in all
content responses. This could potentially expose the site to a
clickjacking or UI redress attack, in which an attacker can trick a
user into clicking an area of the vulnerable page that is different
than what the user perceives the page to be. This can result in a user
performing fraudulent or malicious transactions.

X-Frame-Options has been proposed by Microsoft as a way to mitigate
clickjacking attacks and is currently supported by all major browser

Content-Security-Policy (CSP) has been proposed by the W3C Web
Application Security Working Group, with increasing support among
all major browser vendors, as a way to mitigate clickjacking and other
attacks. The 'frame-ancestors' policy directive restricts which
sources can embed the protected resource.

Note that while the X-Frame-Options and Content-Security-Policy
response headers are not the only mitigations for clickjacking, they
are currently the most reliable methods that can be detected through
automation. Therefore, this plugin may produce false positives if
other mitigation strategies (e.g., frame-busting JavaScript) are
deployed or if the page does not perform any security-sensitive

See also :


Solution :

Return the X-Frame-Options or Content-Security-Policy (with the
'frame-ancestors' directive) HTTP header with the page's response.
This prevents the page's content from being rendered by another site
when using the frame or iframe HTML tags.

Risk factor :

Medium / CVSS Base Score : 4.3

Family: Web Servers

Nessus Plugin ID: 85582 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now