Need to support Cross-Frame Scripting ( 11293 ) problem

Trung107 · ‎06-16-2020

Hi Bro,

I'm used WebInspect, and it detects my website has Cross-Frame Scripting Problem (Cross-Frame Scripting ( 11293 )). But even my response header has X-Frame-Options & Content-Security-Policy: frame-ancestors setting,

WebInspect still detects the same problem. You can see the report file that contains the issue Cross-Frame Scripting ( 11293 ) here report file

Please help me resolve that.
Is any way to resolve it? So I think that was obviously false positives.

Scan information:

- Policy: Standard

- Scan Version: 20.1.0.199

- Scan Type: Site

Issue:

High Issues
Cross-Frame Scripting ( 11293 ) View Description
CWE: 1021
Kingdom: Security Features
Page: https://10.1.33.17:443/

Request:

GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/58.0
Host: 10.1.33.17
Connection: Keep-Alive
X-WIPP: AscVersion=20.1.0.199
X-Scan-Memo:
Category="Crawl";SID="2CF765E6D8D95CDB61F57141B17462A6";SessionType="Externa
lAddedToCrawl";CrawlType="None";AttackType="None";OriginatingEngineID="00000
000-0000-0000-0000-000000000000";tid="109";tt="31";
X-RequestManager-Memo: sid="67";smi="0";sc="1";ID="3dad46cc";
X-Request-Memo: ID="86fc50f6";sc="1";tid="106";
Cookie: CustomCookie=WebInspect148724ZXE9B2988179734CA6A2CF0DC556B11AD3YFD5F
R

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store,private, max-age=3600, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Length: 15548
Set-Cookie:
.AspNetCore.Antiforgery.c_12tiZU3jA=CfDJ8N8w1XEX_wxJuzUyQXra96u2ltEear86diCa
FvrnuzWHPfeugmNneN297MliJ_8aNt27154edOJ0vrV6k1VD6Sj1ue0z1rOTZaDql9YznwdzsVqFbUOj5Vfyf
O8zXcVKpp1IoDnnVudgolF8rVQbLA; path=/; samesite=strict; httponly
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src
'self' 'unsafe-inline'; img-src 'self' data:
https://10.1.33.17:443/Resources/; font-src 'self' data:; object-src
'none'; frame-ancestors 'none'; base-uri 'none';
Date: Mon, 15 Jun 2020 08:34:10 GMT

Parvez_Admin · ‎06-16-2020

Hi,

Webinspect is part of a different company named " Micro Focus " . So you will need to repost your question to the Micro Focus Community at https://community.softwaregrp.com/

Thanks,
Parvez_Admin
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Trung107 · ‎06-16-2020

Thank you Parvez_AL

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Need to support Cross-Frame Scripting ( 11293 ) problem

Need to support Cross-Frame Scripting ( 11293 ) problem

Re: Need to support Cross-Frame Scripting ( 11293 ) problem

Re: Need to support Cross-Frame Scripting ( 11293 ) problem