• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Cross Frame scripting

 
lakshmi gullapudi
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One vulnerability ,Cross Frame scripting is found in my application.


Fixed this issue by adding <% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %> in all jsp pages. but still this vulnerabilty is in my application when the application is scanned.


<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>Untitled</TITLE>

<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>
</HEAD>


tested this by creating a test page containing an HTML iframe tag whose src attribute is set to
http://usa0300uz1345.apps.mc.xerox.com:10503/NGC/ , (for ex : this is my application URL )


Displayed the page as " this content cannot be displayed in a iframe " this is working as expected ..but still this vulnerability is in application.

is there any other way we can test this application if this Cross Frame Vulnerability is still present or not.


Please help me on this.

 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34974
379
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
response.addHeader("X-Frame-Options", "SAMEORIGIN"); is for Clickjacking. Read about Cross Frame Scripting. It's not trivial. The root cause may or may not be the same as your XSS problem.
 
lakshmi gullapudi
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response.

how to fix this Cross Frame Scripting .

in owsap site ,its mentioned XFS attacks may denied by preventing the third-party web page from being framed; the techniques used to do this are the same as those used for Clickjacking Protection for Java EE.

we already implemented this Clickjacking protection in my application but still this vulnerability exists.


 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34974
379
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't have a general answer for you. You are going to need to ask the people who reported the issue against your application for more detail.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic