During a recent Penetration test of a SharePoint site (published through TMG) the site was found to be vulnerable to Cross Site Framing.
I was able to remediate this by adding a http response header in IIS (Header: X-Frame-Options Value: SAMEORIGIN).
The problem now is the TMG logon HTML form can still be captured in a frame.
I can't see any way to add the header so I was thinking about adding some frame busting code to the HTML form but not sure where to put it.
Is there a way to stop the TMG form from being captured in a frame?
↧
Cross Site Framing on TMG HTML Form
↧