Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Avoid clickjacking for Java web application when opened in same session

I am trying to handle clickjacking for a java web application. I got a solution from Clickjacking Defense Cheat Sheet

I have added a filter in web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
         xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee                                        http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>OWASP ClickjackFilter</display-name>
    <filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>

    <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping>
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


</web-app>

My filter class look like

package org.owasp.filters;
import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackFilter implements Filter
{

    private String mode = "DENY";

    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );
        chain.doFilter(request, response);
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }

}

Now the problem I'm facing is that this solution only works if I open the web page in a new session every time.

The solution fails if I try to frame the application in the same session.

like image 772
user3691167 Avatar asked Feb 23 '16 11:02

user3691167


People also ask

How can we prevent clickjacking in Java?

Using the X-Frame-Options header A better approach to prevent clickjacking attacks is to ask the browser to block any attempt to load your website within an iframe. You can do it by sending the X-Frame-Options HTTP header.

How can clickjacking be prevented?

There are three main ways to prevent clickjacking: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. The older X-Frame-Options HTTP headers is used for graceful degradation and older browser compatibility.

Which of the following is one way to prevent a clickjacking attack?

To ensure that your site doesn't get used in a clickjacking attack, you need to make sure it cannot be wrapped in an iframe by a malicious site. This can be done by giving the browser instructions directly via HTTP headers, or in older browser by using client-side JavaScript (frame-killing).

Which HTTP header can be used to prevent clickjacking?

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> , <embed> or <object> . Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.


1 Answers

There are three settings for X-Frame-Options:

  1. SAMEORIGIN This setting will allow a page to be displayed in a frame on the same origin as the page itself
  2. DENY This setting will prevent a page displaying in a frame or iframe
  3. ALLOW-FROM uri This setting will allow a page to be displayed only on the specified origin

Have you tried with SAMEORIGIN instead of DENY for mod?

Read more X-Frame-Options Header Types

like image 122
Butiri Dan Avatar answered Oct 17 '22 20:10

Butiri Dan