CompTIA PenTest+ (PT0-001) — Question 90

A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Answer options

• A. Use path modification to escape the application's framework.
• B. Create a frame that overlays the application.
• C. Inject a malicious iframe containing JavaScript.
• D. Pass an iframe attribute that is malicious.

Correct answer: B

Explanation

The correct answer is B because without the X-Frame-Options header, an attacker can create a frame that overlays the legitimate application, potentially tricking users into interacting with the malicious content. The other options involve different types of attacks that do not specifically relate to the absence of the X-Frame-Options header.