on 04-Feb-2015 07:07
An article on CIO.com yesterday discussed an easy attack vector on IE 11 on Windows 8.1, but it works on my Windows 7 with IE 10 as well. To see the (benign) attack in action, follow these steps:
This will launch another window that will load the Daily Mail site, and then after seven seconds, will show the injected payload "Hacked by Deusen."
The good news? This can be mitigated by your application, or centrally with a policy or iRule by inserting the X-Frame-Options header with either the DENY or SAMEORIGIN value. The DENY value is shown in the examples below.
ltm policy xframecontrol { controls { forwarding } requires { http } rules { xframeopt { actions { 0 { http-header response insert name X-Frame-Options value DENY } } ordinal 1 } } strategy first-match }
when HTTP_RESPONSE { HTTP::header insert X-Frame-Options DENY }
For more information on the X-Frame-Options header usage please check out these sites: