• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Cross Frame scripting

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One vulnerability ,Cross Frame scripting is found in my application.


Fixed this issue by adding <% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %> in all jsp pages. but still this vulnerabilty is in my application when the application is scanned.


<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>Untitled</TITLE>

<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>
</HEAD>


tested this by creating a test page containing an HTML iframe tag whose src attribute is set to
http://usa0300uz1345.apps.mc.xerox.com:10503/NGC/ , (for ex : this is my application URL )


Displayed the page as " this content cannot be displayed in a iframe " this is working as expected ..but still this vulnerability is in application.

is there any other way we can test this application if this Cross Frame Vulnerability is still present or not.


Please help me on this.

 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
response.addHeader("X-Frame-Options", "SAMEORIGIN"); is for Clickjacking. Read about Cross Frame Scripting. It's not trivial. The root cause may or may not be the same as your XSS problem.
 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the response.

how to fix this Cross Frame Scripting .

in owsap site ,its mentioned XFS attacks may denied by preventing the third-party web page from being framed; the techniques used to do this are the same as those used for Clickjacking Protection for Java EE.

we already implemented this Clickjacking protection in my application but still this vulnerability exists.


 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't have a general answer for you. You are going to need to ask the people who reported the issue against your application for more detail.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic