Hey All,
I have a weird one.
We have 2 UTMs, both running 9.705-3 doing WAF for Exchange Server deployed per the KB - https://support.sophos.com/support/s/article/KB-000038003?language=en_US
Everything is working fine, but we are renewing our annual security test including a PenTestOne of these is showing as vulnerable to clickjacking and one is not
I have gone through the config side by side and both look identical, i cant figure it out.
The links offered up by the PenTest software are:
http://www.nessus.org/u?399b1f56https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
But i can't find a way to insert these headers.
If i test with https://www.lookout.net/test/clickjack.html one does load the page (which it shouldn't) and one does not load the page denying the connection (which should be the behaviour) so something isn't set correctly, its just where to change it
Can anyone shove me in the right direction?
Ok, found it after stitching together multiple other threads on the topic.
Firstly: THIS IS NOT A SUPPORTED CONFIG FROM SOPHOS. YOU DO SO AT YOUR OWN RISK. Secondly: THIS IS NOT A SUPPORTED CONFIG. You…
Hi vAdmin,
Thanks for reaching out to the Community!
I would suggest you check if there's any DNAT rule for the service/port that got detected in the scan.
Thanks,
No DNAT on the UTM and I can see that the UTM is responding as there are the other headers added by the UTM present
In both instances it is acting as a WAF only.