A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?
A.
Use path modification to escape the application's framework.
B.
Create a frame that overlays the application.
C.
Inject a malicious iframe containing JavaScript.
Right! Was my thought too! Guys, keep in mind that boblee has had many correct answers, including the exact answers as slchrome on the simulation about matching injections and XXS with mitigations. I have also seen correct answers in several other places by boblee...I would listen to him and ignore d1960 and robot...not picking on them, they are simply copying and pasting conjecture and sybex...that is free advise
https://www.youtube.com/watch?v=rBWiiKX9Cyo
Watch this to see exactly why this is, basically without this header, the website can be embedded in an iframe on the attacker's site, so attacker sends a malicious link, the user clicks it and since the attacker site is at the top level, so to speak, it can place a button over top of the iframe content of the legit site.
i taught it was B at first but after looking into it, im certain it's C:
XSS Attack Using Frames
To exploit a Cross Site Scripting on a third-party web page at example.com, the attacker could create a web page at evil.com, which the attacker controls, and include a hidden iframe in the evil.com page. The iframe loads the flawed example.com page, and injects some script into it through the XSS flaw. In this example, the example.com page prints the value of the “q” query parameter from the page’s URL in the page’s content without escaping the value. This allows the attacker to inject some JavaScript into the example.com page which steals the browser-user’s example.com cookie, and sends the cookie via a fake-image request to evil.com (the iframe’s src URL is wrapped for legibility):
The iframe is hidden off-screen, so the browser user won’t have any idea that they just “visited” the example.com page. However, this attack is effectively the same as a conventional XSS attack, since the attacker could have simply redirected the user directly to the example.com page, using a variety of methods, including a meta element like this (again, the meta element’s URL is wrapped for legibility)
Source:
https://owasp.org/www-community/attacks/Cross_Frame_Scripting
It is B
The test writers are all about obfuscation. Some of the questions are just stupid.
I'd like to meet a test writer in a back alley and run my stepper.bat file
Everyone seems to be missing the subtle slight of hand on B.
There's a difference between a frame and an iframe in html. Look at the verbiage, it says frame on B. C is eliminated over the Javascript element.
The HTML <iframe> src attribute is used to specify the URL of the document that are embedded to the <iframe> element. Syntax: <iframe src="URL"> Attribute Values: It contains single value URL which specifies the URL of the document that is embedded to the iframe.
FWIW: the best answer to this question would be "clickjacking" but that is not offered. Answers B, C, and D, could all be part of a clickjacking attack.
I would go for C.
https://www.w3.org/Security/wiki/Clickjacking_Threats
https://blog.qualys.com/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole
Sounds like B could be the best answer:
https://www.w3.org/Security/wiki/Clickjacking_Threats - "The most common form of clickjacking attack involves obscuring a trusted dialogue by overlaying malicious content."
https://blog.qualys.com/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole - "Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with an iframe. This malicious technique can potentially expose confidential information or, less commonly, take control of the user’s computer. For example, on Facebook, a clickjack can lead to an unauthorized user spamming your entire network of friends from your account."
the reason C is incorrect is the word javascript...the iframe would be embeded in another iframe in HTML, not javascript...I am not 100% certain since coding is my weak link!!
https://www.imperva.com/learn/application-security/clickjacking/
upvoted 1 times
...
...
...
...
This section is not available anymore. Please use the main Exam Page.PT0-001 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
boblee
Highly Voted 4Â years, 10Â months agobabaEniola
4Â years, 10Â months agowho__cares123456789___
4Â years, 3Â months agodyers
3Â years, 11Â months agokloug
Most Recent 2Â years, 2Â months agomiabe
2Â years, 9Â months agoCock
3Â years, 2Â months agoCapCrunch
3Â years, 9Â months agoCapCrunch
3Â years, 9Â months agoversun
3Â years, 10Â months agoddiggler
3Â years, 6Â months agononyabiz
3Â years, 10Â months agoD1960
4Â years, 11Â months agomr_robot
5Â years agoD1960
4Â years, 12Â months agomr_robot
4Â years, 11Â months agowho__cares123456789___
4Â years, 3Â months ago