Php Curl Unsafe X Frame Options
Description
This vulnerability detector identifies PHP code that uses cURL to set unsafe X-Frame-Options headers. The X-Frame-Options header controls whether a page can be embedded in frames, and improper configuration can lead to clickjacking attacks where malicious sites embed the vulnerable page in hidden frames to trick users into performing unintended actions.
Detection Strategy
• Scans PHP source code for calls to the curl_setopt() function
• Identifies when curl_setopt() is used to configure HTTP headers, specifically X-Frame-Options
• Flags instances where X-Frame-Options is set
• Reports vulnerabilities when the X-Frame-Options configuration could enable clickjacking attacks by allowing the page to be embedded in frames from untrusted domains
Vulnerable code example
<?php
function sendApiRequest(): void
{
$ch = curl_init('https://api.example.com');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'X-Frame-Options: DENY', // Vulnerable: security header sent to external API instead of browser
]);
curl_exec($ch);...✅ Secure code example
<?php
function sendApiRequest(): void
{
$ch = curl_init('https://api.example.com');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json', // Fixed: use appropriate request headers for API calls
'Accept: application/json',
]);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.