Cross Site Framing on TMG HTML Form


  • During a recent Penetration test of a SharePoint site (published through TMG) the site was found to be vulnerable to Cross Site Framing.

    I was able to remediate this by adding a http response header in IIS (Header: X-Frame-Options Value: SAMEORIGIN).

    The problem now is the TMG logon HTML form can still be captured in a frame.

    I can't see any way to add the header so I was thinking about adding some frame busting code to the HTML form but not sure where to put it.

    Is there a way to stop the TMG form from being captured in a frame?

    Wednesday, October 21, 2015 8:43 AM

All replies