CompTIA
PT0-001 · Question #91
PT0-001 Question #91: Real Exam Question with Answer & Explanation
The correct answer is B: Create a frame that overlays the application.. A missing X-Frame-Options header leaves a web application vulnerable to clickjacking, where an attacker embeds the legitimate site in a transparent frame to trick users into unintended actions.
Attacks and exploits
Question
A penetration tester notices that the X-Frame-Optjons header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?
Options
- AUse path modification to escape the application's framework.
- BCreate a frame that overlays the application.
- CInject a malicious iframe containing JavaScript.
- DPass an iframe attribute that is malicious.
Explanation
A missing X-Frame-Options header leaves a web application vulnerable to clickjacking, where an attacker embeds the legitimate site in a transparent frame to trick users into unintended actions.
Common mistakes.
- A. Path modification to escape an application framework describes a path traversal or framework-escape vulnerability class that is entirely unrelated to the X-Frame-Options header.
- C. Injecting a malicious iframe containing JavaScript describes a cross-site scripting vector and is not the direct exploitation of a missing X-Frame-Options header, which specifically enables clickjacking.
- D. Passing a malicious iframe attribute relates to HTML attribute injection, not the clickjacking risk that arises specifically from an absent X-Frame-Options header.
Concept tested. Clickjacking exploitation via missing X-Frame-Options header
Reference. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Topics
#clickjacking#X-Frame-Options#web security headers#iframe attack
Community Discussion
No community discussion yet for this question.