wadealcorn
commented
10 years ago @bw-z do you have time to add this to the API and document it in the wiki?
Closed antisnatchor closed 10 years ago
wadealcorn
commented
10 years ago @bw-z do you have time to add this to the API and document it in the wiki?
bw-z
commented
10 years ago I have had a look at this one in Chrome/FF and it looks like this detection method isn't working anymore.. Also tried a manual onload destroy function without success
wadealcorn
commented
10 years ago Thanks @bw-z
Do you have an easy method to confirm it on older versions? Something like https://browsershots.org/ might be helpful.
antisnatchor
commented
10 years ago Another potential way to do this is creating a server-side REST handler (without authentication), that given a resource like http://antisnatchor.com/page retrieves it, parse the HTTP response headers and check if XFO is there or not.
So basically we would have a JS method to do that, that relies on the BeEF server to do the check. I know it's not ideal, but I don't have other ideas right now.
See here: http://blog.whitehatsec.com/x-frame-options-xfo-detection-from-javascript/
Embed the check in every function of the API which create iFrames, and also in the XssRays code logic.