Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
JRahm
Community Manager
Community Manager

An article on CIO.com yesterday discussed an easy attack vector on IE 11 on Windows 8.1, but it works on my Windows 7 with IE 10 as well. To see the (benign) attack in action, follow these steps:

  1. In IE, go to http://www.deusen.co.uk/items/insider3show.3362009741042107/.
  2. After 3 seconds, close the popup.
  3. Click the "Go" link.

This will launch another window that will load the Daily Mail site, and then after seven seconds, will show the injected payload "Hacked by Deusen."

The good news? This can be mitigated by your application, or centrally with a policy or iRule by inserting the X-Frame-Options header with either the DENY or SAMEORIGIN value. The DENY value is shown in the examples below.

LTM Policy

 

ltm policy xframecontrol {
    controls { forwarding }
    requires { http }
    rules {
        xframeopt {
            actions {
                0 {
                    http-header
                    response
                    insert
                    name X-Frame-Options
                    value DENY
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

LTM iRule

 

when HTTP_RESPONSE {
HTTP::header insert X-Frame-Options DENY
}

For more information on the X-Frame-Options header usage please check out these sites:

Comments
Brad_Parker
Cirrus
Cirrus
Jason, will SAMEORIGIN mitigate the vulnerability as well?
JRahm
Community Manager
Community Manager
yes, updated the article to indicate either option is acceptable for the mitigation.
Brad_Parker
Cirrus
Cirrus
You're the man!
Version history
Last update:
‎04-Feb-2015 07:07
Updated by:
Contributors