From d1f114d103c03ae031c96f3f08014a3609c2e3cb Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sat, 10 Feb 2018 06:24:24 +0000
Subject: [PATCH] Add X-Frame-Options to admin UI

---
 .../admin_ui/controllers/authentication/authentication.rb      | 3 +++
 extensions/admin_ui/controllers/panel/panel.rb                 | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/extensions/admin_ui/controllers/authentication/authentication.rb b/extensions/admin_ui/controllers/authentication/authentication.rb
index ba66c3d3b..f161ba9f9 100644
--- a/extensions/admin_ui/controllers/authentication/authentication.rb
+++ b/extensions/admin_ui/controllers/authentication/authentication.rb
@@ -31,6 +31,7 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
   # Function managing the index web page
   def index 
     @headers['Content-Type']='text/html; charset=UTF-8'
+    @headers['X-Frame-Options']='sameorigin'
   end
   
   #
@@ -42,6 +43,7 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
     password = @params['password-cfrm'] || ''
     config = BeEF::Core::Configuration.instance
     @headers['Content-Type']='application/json; charset=UTF-8'
+    @headers['X-Frame-Options']='sameorigin'
     ua_ip = @request.ip # get client ip address
     @body = '{ success : false }' # attempt to fail closed
           
@@ -87,6 +89,7 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
     (print_error "invalid session";return @body = "{ success : true }") if not @session.valid_session?(@request)
     
     @headers['Content-Type']='application/json; charset=UTF-8'
+    @headers['X-Frame-Options']='sameorigin'
     
     # set the session to be log out
     @session.set_logged_out
diff --git a/extensions/admin_ui/controllers/panel/panel.rb b/extensions/admin_ui/controllers/panel/panel.rb
index cbbe58997..73f339371 100644
--- a/extensions/admin_ui/controllers/panel/panel.rb
+++ b/extensions/admin_ui/controllers/panel/panel.rb
@@ -23,7 +23,8 @@ module BeEF
           end
 
           # default index page
-          def index;
+          def index
+            @headers['X-Frame-Options']='sameorigin'
           end
 
           # return a JSON object contains all the updates for the hooked browser trees