• Post Reply Bookmark Topic Watch Topic
  • New Topic

Cross Frame Scripting or Clickjacking  RSS feed

 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi ,

one security issue(Cross Frame Scripting or Clickjacking) found in webapplication scan.

For this , we added below meta tag in each jsp but still this issue is not fixed

<META HTTP-EQUIV="X-Frame-Options" CONTENT="deny">


Please help me how to fix this issue in JSP...

 
Arun Giridhar
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See this .
 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using startUp servlet only at the time of intialization.
after that we are using jsp to bean to jsp ...

in this case how can we fix this issue.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 37181
515
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For Clickjacking, the OWASP page describes two approaches. One uses JavaScript and one uses setting a response value. Ideally, you do both to be more secure. You can set the response value in a filter. Filters can be applied to JSPs too. The JavaScript part, just goes on your page.
 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
used below javascript code at the bottom of all the jsp pages



<style id="antiClickjack">body{display:none !important;}</style>


<script type="text/javascript">
if (self == top)
{
alert("self is equal to top customUI")
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);

}
else {

top.location = self.location;

}

</script>


in my application , for some jps pages , control is going to if condition (self == true) and for some jsp pages control is going to else condition (self ! = top)

application works fine if it is self ==top but application not working when self ! = top.



is there any thing like to use this javascript code only in specific pages......


-----------------------------------------------------------------------------------------------------------------

coming to filter approcah...


using servlet only one time in application ..at the time intialization... in this how can use filters..?




StartUpServlet.java

/*
* StartUpServlet.java
*
* Copyright (C) 2004 LPA Systems, Inc. All Rights Reserved.
*/
package com.lpasystems.cmss;

import java.sql.*;

import javax.naming.*;
import javax.servlet.*;
import javax.servlet.http.HttpServlet;
import javax.sql.DataSource;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.xml.XmlBeanFactory;


//J-
/**
* Does whatever initialization the CMSS app needs.
*
* @author jcurry
* @version $Revision: 1.2 $
* Last Changed by: $Author: uswu47804 $
* Last Changed Date: $DateTime: 2004/11/16 16:00:40 $
*/
//J+
public class StartUpServlet extends HttpServlet {
private static Log log = LogFactory.getLog(StartUpServlet.class);

/**
* Called during servlet initialization. We override this to capture the
* initialization parameters and do any setup that is necessary.
*
* @param config ServletConfig object
*
* @throws ServletException
*/
public void init(ServletConfig config) throws ServletException {
super.init(config);

//Set up the logger (just log something so it is initialized).
log.info(" ");
log.info("StartUpServlet Started");

//Initialize the Spring Bean Factory by getting an instance which will
//force initialization of the singelton
XmlBeanFactory springBeanFactory = SpringBeanFactory.getInstance();

//A couple of test methods you can use to make sure everything is
//wired up right.
// testDatasource();
// logJndiTree();

//Initialize project been and associate with the context
initializeProjectBean(config);
}

/*
* Initialize the project bean and associated it with the servlet context
* so that JSPs can access it later.
*/
private void initializeProjectBean(ServletConfig config) {
XmlBeanFactory springBeanFactory = SpringBeanFactory.getInstance();
ProjectBean projectBean = (ProjectBean) springBeanFactory.getBean("projectBean");
projectBean.setFilePath(config.getServletContext().getRealPath(""));

ServletContext servletContext = config.getServletContext();
servletContext.setAttribute("project", projectBean);
}

/*
* Runs a simple query against the passed in
* datasource to make sure it works
*/
private void testDatasource() {
try {
log.info("Testing datasource");

XmlBeanFactory springBeanFactory = SpringBeanFactory.getInstance();

DataSource ds = (DataSource) springBeanFactory.getBean("dataSource");

Connection con = ds.getConnection();
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("SELECT 'HELLO WORLD' FROM DUAL");
rs.next();
log.info("Query Result " + rs.getString(1));

stmt.close();

con.close();
}
catch (SQLException e1) {
log.error("SQLException thrown", e1);
}
}

/*
* Dumps out the Jndi tree to the log
*/
private void logJndiTree() {
log.info("Enumerating the Jndi Tree");

try {
InitialContext ctx = new InitialContext();

StringBuffer sb = new StringBuffer("\n\n");
listJndiTree(ctx, sb, "");
log.info(sb);
}
catch (NamingException e) {
log.error("NameException Thrown", e);
}
}

/*
* Builds a string buffer containing all the Jndi entries
*/
private void listJndiTree(Context ctx, StringBuffer sb, String prefix) {
try {
NamingEnumeration enum1 = ctx.listBindings("");

while (enum1.hasMore()) {
Binding binding = (Binding) enum1.next();
Object obj = (Object) binding.getObject();

if (obj instanceof Context) {
listJndiTree((Context) obj, sb, prefix + binding.getName() + "/");
}
else {
sb.append(prefix);
sb.append(binding.getName());

for (int i = binding.getName().length() + prefix.length(); i < 50;
i++) {
sb.append(" ");
}

sb.append(binding.getObject().getClass().getName());
sb.append("\n");
}
}
}
catch (NamingException e) {
log.error("NameException Thrown", e);
}
}
}





JSP page :


<jsp:useBean id="project" class="com.lpasystems.cmss.ProjectBean" scope="application"/>
<jsp:useBean id="client" class="com.lpasystems.cmss.ClientBean" scope="session"/>
<jsp:useBean id="dropdownLists" class="com.lpasystems.cmss.DropdownLists" />

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">
<TITLE>Form Select Dropdown</TITLE>
<LINK rel="stylesheet" type="text/css" href="<%= project.getsTop() %>/CMSS.css">
<style id="antiClickjack">body{display:none !important;}</style>
<%
// =====================================================================
// JSP File: FormselectDropdown.jsp
//
// Purpose: This is the generic frame that holds the dropdown selection list
// to choose a table row to modify.
//
// URL Params: TabNameParam: Name of Tab, third parameter of ACCESSTYPETABS table
// FormFilenameParam: jsp filename of main custom form
// FormSubdirParam: Subdirectory under main where FormFilename is located
// ToolbarBtnParam: Dash-separated list of toolbar buttons
// (see FormselectToolbar.hsp for choices)
//
// Called from: FormselectMainFrame.jsp
//
// Calls: none
//
// Notes:
//
// License: Copyright © 2004 LPA Systems, Inc. All rights reserved.
//
// History:
// Date Who Remarks
// -------- ---- -------
// 10-02-98 mdp Created
// 12-17-99 jjc Moved addElementToDropdownList into this page
// 08-15-04 jjc Convert to jsp
//======================================================================
%>

<%
// Get only params from FormselectMainFrame for passing in to toolbar and
// custom form frame
String sQueryString = "TabNameParam=" + request.getParameter("TabNameParam") +
"&FormSubdirParam=" + request.getParameter("FormSubdirParam") +
"&FormFilenameParam=" + request.getParameter("FormFilenameParam");
String sRedrawURL = "/jsp/" + request.getParameter("FormSubdirParam") + "/" + request.getParameter("FormFilenameParam");
%>
<SCRIPT LANGUAGE="JavaScript">
var sToolbarBtnParam = "<%= request.getParameter("ToolbarBtnParam") %>"

// Global Client-side JavaSctipt Variables
var dynamicFrame = top.DynamicFrame

function onLoadDocument()
{
// Check for an empty list (display only SUBMIT in this case)
if ((document.forms[0].TableList.options.length == 0) && (sToolbarBtnParam.indexOf('NEW') >= 0))
sToolbarBtnParam = 'SUBMIT'

// Load toolbar frame
parent.FormselectToolbarFrame.location.href = dynamicFrame.project.sTop +
"/jsp/FormselectToolbar.jsp?ActionParam=" + sToolbarBtnParam
}

function refreshFormselectPage()
{
// Get selected key value
var sSelectionKey =
document.forms[0].TableList.options[document.forms[0].TableList.selectedIndex].value

// Redraw page with new selected value
parent.FormselectEditFrame.location.href =
dynamicFrame.project.sTop +
"<%= sRedrawURL %>" +
'?ActionParam=EDIT&LastSelectedKeyParam=' + escape(sSelectionKey) + '&' +
"<%= sQueryString %>"
}


//* Purpose: Add an item into the option collection of the TableList drop down
function addElementToDropdownList(sValue, sDisplay)
{
// IE3 returns empty for the Option constructor
if (!top.TopSourceFrame.isEmpty(typeof Option))
{
// Find the length of the option array
var iLastObjPlus1 = document.forms[0].TableList.options.length

// Use this as an index to tack on a new element to the end of the option list
// (parameters to Option() call are: DisplayText,value,defaultSelected,selected
document.forms[0].TableList.options[iLastObjPlus1] =
new Option(sDisplay, sValue, false, true)

// Now move the item to the correct position in the list
for (i = iLastObjPlus1;
i > 0 && document.forms[0].TableList.options[i].text < document.forms[0].TableList.options[i-1].text;
i--)
{
document.forms[0].TableList.options[i].text = document.forms[0].TableList.options[i-1].text
document.forms[0].TableList.options[i].value = document.forms[0].TableList.options[i-1].value

document.forms[0].TableList.options[i-1].text = sDisplay
document.forms[0].TableList.options[i-1].value = sValue

// Set the current selection to the new row
document.forms[0].TableList.options[i-1].selected = true
}

}
else // IE3 Browser
{
// Reload everything...
parent.parent.TabContentFrame.location.href = dynamicFrame.project.sTop + '/jsp/FormselectMainFrame.jsp?' +
"<%= sQueryString %>"
}
}

</SCRIPT>

</head>

<body <%= project.getsBodyTagAttributes() %> onLoad="onLoadDocument()">

<table border=0 cellspacing=0 cellpadding=0>

<!--First column is a left margin, everything else goes in the second column.-->
<tr>
<td WIDTH="15"></td>

<td>
<table width=700 border=0 cellspacing=0 cellpadding=0>

<form method="POST">

<tr><td> </td></tr>

<tr>
<td COLSPAN=2>
<H1 class="title"><%= request.getParameter("TitleParam") %></H1>
</font>
</td>
</tr>

<tr>
<td COLSPAN=2><%= request.getParameter("PromptParam") %>
</font>

<%
String sSQLStmt = request.getParameter("QueryParam");

dropdownLists.makeDropdownFromQuery(
request, session, out, //JSP interface objects
"", //Current Selection
sSQLStmt,
"TableList", //Tag Name
"N", //Null allowed
"N", //Use Cache
"refreshFormselectPage()", //onChange call
true, //drawListIfEmpty
"", //prefixIdList
"", //prefixDescrList
"", //postfixIdList
""); //postfixDescrList
%>

</td>
</tr>
</form>
</table>

</td>
</tr>

</table>

<script type="text/javascript">
if (self == top)
{
alert("self is equal to top formselect")
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
alert("removed child")
}
else {
alert("self is not equal to top formselect")
top.location = self.location;

}
</script>


</body>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</HEAD>
</html>


can you help me how to fix this in my application



 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 37181
515
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's a lot of code. I don't have time to read all that so skipping parts of your question.

In answer to the filter part, see here. They use a filter around JSPs - just by URL pattern.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!