File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes Cross Frame scripting Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Cross Frame scripting" Watch "Cross Frame scripting" New topic
Author

Cross Frame scripting

lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
One vulnerability ,Cross Frame scripting is found in my application.


Fixed this issue by adding <% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %> in all jsp pages. but still this vulnerabilty is in my application when the application is scanned.


<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>Untitled</TITLE>

<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>
</HEAD>


tested this by creating a test page containing an HTML iframe tag whose src attribute is set to
http://usa0300uz1345.apps.mc.xerox.com:10503/NGC/ , (for ex : this is my application URL )


Displayed the page as " this content cannot be displayed in a iframe " this is working as expected ..but still this vulnerability is in application.

is there any other way we can test this application if this Cross Frame Vulnerability is still present or not.


Please help me on this.

Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30130
    
150

response.addHeader("X-Frame-Options", "SAMEORIGIN"); is for Clickjacking. Read about Cross Frame Scripting. It's not trivial. The root cause may or may not be the same as your XSS problem.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
Thanks for the response.

how to fix this Cross Frame Scripting .

in owsap site ,its mentioned XFS attacks may denied by preventing the third-party web page from being framed; the techniques used to do this are the same as those used for Clickjacking Protection for Java EE.

we already implemented this Clickjacking protection in my application but still this vulnerability exists.


Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30130
    
150

I don't have a general answer for you. You are going to need to ask the people who reported the issue against your application for more detail.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Cross Frame scripting
 
Similar Threads
Cross Site scripting
GWT Project just shows a blank page if empty body tag is used
Cross Frame Scripting or Clickjacking
disable the back button in webapplication
Logout, Browser back button problem