aspose file tools*
The moose likes JSP and the fly likes Cross Frame scripting Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Cross Frame scripting" Watch "Cross Frame scripting" New topic
Author

Cross Frame scripting

lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
One vulnerability ,Cross Frame scripting is found in my application.


Fixed this issue by adding <% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %> in all jsp pages. but still this vulnerabilty is in my application when the application is scanned.


<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>Untitled</TITLE>

<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>
</HEAD>


tested this by creating a test page containing an HTML iframe tag whose src attribute is set to
http://usa0300uz1345.apps.mc.xerox.com:10503/NGC/ , (for ex : this is my application URL )


Displayed the page as " this content cannot be displayed in a iframe " this is working as expected ..but still this vulnerability is in application.

is there any other way we can test this application if this Cross Frame Vulnerability is still present or not.


Please help me on this.

Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30955
    
158

response.addHeader("X-Frame-Options", "SAMEORIGIN"); is for Clickjacking. Read about Cross Frame Scripting. It's not trivial. The root cause may or may not be the same as your XSS problem.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
Thanks for the response.

how to fix this Cross Frame Scripting .

in owsap site ,its mentioned XFS attacks may denied by preventing the third-party web page from being framed; the techniques used to do this are the same as those used for Clickjacking Protection for Java EE.

we already implemented this Clickjacking protection in my application but still this vulnerability exists.


Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30955
    
158

I don't have a general answer for you. You are going to need to ask the people who reported the issue against your application for more detail.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Cross Frame scripting