X-Frame-Options test is a litle bit excessive.

sebastien.aucouturier's Avatar

sebastien.aucouturier

10 Feb, 2016 09:59 AM

Seems Arachni only agree when X-Frame-Options is set to DENY.

To my mind it must only complains when X-Frame-Options is missing or is set to 'ALLOW-FROM'
and not warn us when header set to 'DENY' or 'SAMEORIGIN'

  1. Support Staff 1 Posted by Tasos Laskos on 10 Feb, 2016 10:05 AM

    Tasos Laskos's Avatar

    Judging from the code, it should only be logging it when missing.
    If you could show me the logged headers or better yet send me the AFR report (in private) that'd be very helpful.

    Also, which version and OS are you using?

    Cheers

  2. 2 Posted by sebastien.aucou... on 10 Feb, 2016 10:38 AM

    sebastien.aucouturier's Avatar

    Hi Tasos.

    you're right, my analyse was bad.
    So i go deeper, and found that arachni complains on a ' 404 Not Found' page crawled where X-Frame-Options is missing.

    Linux arachni-1.3.2-0.5.9

  3. Support Staff 3 Posted by Tasos Laskos on 10 Feb, 2016 10:39 AM

    Tasos Laskos's Avatar

    No problem.

    Btw, better try the new version, you're one behind.

    Cheers

  4. Tasos Laskos closed this discussion on 10 Feb, 2016 10:39 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac