User Interface (UI) Misrepresentation of Critical Information
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-451: User Interface (UI) Misrepresentation of Critical Information |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The application sets the ‘X-Frame-Options’ HTTP header based on user input, allowing clients to control whether your pages can be embedded in iframes. This weakens protections against clickjacking attacks and should not be user-controllable.
Impact#
If exploited, attackers could bypass frame restrictions and embed your site in malicious pages, potentially tricking users into clicking hidden UI elements (clickjacking). This could lead to unauthorized actions, data theft, or reputational damage to your application.