Difference between revisions of "Clickjacking Protection for Java EE"

From OWASP
Jump to: navigation, search
(First draft)
 
Line 7: Line 7:
 
[[Clickjacking]] is an attack that tricks users by showing them an innocuous page but including the real controls from sensitive pages. These controls are disguised through the use of background frames that mask off everything except the control, so that the user can't tell that they are actually clicking on a sensitive function in some other website.
 
[[Clickjacking]] is an attack that tricks users by showing them an innocuous page but including the real controls from sensitive pages. These controls are disguised through the use of background frames that mask off everything except the control, so that the user can't tell that they are actually clicking on a sensitive function in some other website.
  
==Approach==
+
The primary defense to clickjacking is to prevent your pages from being framed. The typical approach to this is to include a "frame-breaker" script in every page that ensures that the content is not framed. Here's an example of such a script.
  
The primary defense to clickjacking is to prevent your pages from being framed. The typical approach to this is to include a "frame-breaker" script in every page that ensures that the content is not framed.
+
  <script>...
  
 +
Microsoft has included a [http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx defense] in IE8 that allows developers to specify that pages should not be framed. They use a new X-FRAME-OPTIONS header to mark responses that shouldn't be framed. There are two options with X-FRAME-OPTIONS. The first is DENY, which prevents everyone from framing the content. The other option is SAMEORIGIN, which only allows the current site to frame the content. Currently this works in IE8 RC1+, but will not affect users of other browsers until they decide to implement this feature. Firefox users may want to look at the protection in NoScript.
  
Microsoft has included a defense in IE8 that allows developers to specify that pages should not be framed. They use the X-FRAME-OPTIONS header to mark responses that shouldn't be framed. The inclusion of this header will prevent content from being framed in IE8+, but will not affect users of other browsers until they decide to implement this feature.
+
==Approach==
  
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
+
We'd like to add the X-FRAME-OPTIONS header to any pages that shouldn't be framed. So we could go into every servlet and JSP and add one of the two following lines of code:
  
In this article, we'll implement a simple filter to add the X-FRAME-OPTIONS to some or all of a JavaEE application.
+
  // to prevent all framing of this content
 +
  response.addHeader( "X-FRAME-OPTIONS", "DENY" );
 +
 
 +
  // to allow framing of this content only by this site
 +
  response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
 +
 
 +
However, this seems a bit intrusive and a lot of work.  In this article, we'll implement a simple JavaEE filter to add the X-FRAME-OPTIONS header to some or all parts of your application.
  
 
==Download==
 
==Download==
Line 22: Line 29:
 
The source code (one file) and the compiled class file are in a single zip file.
 
The source code (one file) and the compiled class file are in a single zip file.
  
'''[http://www.owasp.org/images/5/59/PDFAttackFilter.zip DOWNLOAD]'''
+
'''[http://www.owasp.org/images/5/59/XXXXX NOT READY YET XXXXXX.zip DOWNLOAD]'''
  
 
==Setup==
 
==Setup==
Line 33: Line 40:
 
<?xml version="1.0" encoding="UTF-8"?>
 
<?xml version="1.0" encoding="UTF-8"?>
 
<web-app id="WebApp_ID" version="2.4"
 
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
+
    xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
+
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>OWASP ClickjackFilter</display-name>
+
    <display-name>OWASP ClickjackFilter</display-name>
 
+
    <filter>
<filter>
+
        <filter-name>ClickjackFilterDeny</filter-name>
<filter-name>ClickjackFilter</filter-name>
+
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
<filter-class>org.owasp.filters.ClickjackFilter</filter-class>
+
        <init-param>
</filter>
+
            <param-name>mode</param-name>
 
+
            <param-value>DENY</param-value>
<filter-mapping>  
+
        </init-param>
<filter-name>ClickjackFilter</filter-name>
+
    </filter>
<url-pattern>/*</url-pattern>
+
   
</filter-mapping>
+
    <filter>
 
+
        <filter-name>ClickjackFilterSameOrigin</filter-name>
 +
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
 +
        <init-param>
 +
            <param-name>mode</param-name>
 +
            <param-value>SAMEORIGIN</param-value>
 +
        </init-param>
 +
    </filter>
 +
   
 +
    <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
 +
    <filter-mapping>  
 +
        <filter-name>ClickjackFilterDeny</filter-name>
 +
        <url-pattern>/*</url-pattern>
 +
    </filter-mapping>
 +
   
 +
    <!-- use the SameOrigin version to allow your application to frame, but nobody else
 +
    <filter-mapping>
 +
        <filter-name>ClickjackFilterSameOrigin</filter-name>
 +
        <url-pattern>/*</url-pattern>
 +
    </filter-mapping>
 +
    -->
 +
   
 
</web-app>
 
</web-app>
 
</pre>
 
</pre>
Line 77: Line 104:
 
{
 
{
  
/**
+
    private String mode = "DENY";
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
+
   
* decide to implement) not to display this content in a frame. For details, please
+
    /**
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
+
    * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
*/
+
    * decide to implement) not to display this content in a frame. For details, please
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
+
    * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
{
+
    */
 +
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
 
         HttpServletResponse res = (HttpServletResponse)response;
 
         HttpServletResponse res = (HttpServletResponse)response;
 
         chain.doFilter(request, response);
 
         chain.doFilter(request, response);
         res.addHeader("X-FRAME-OPTIONS", "DENY" );
+
         res.addHeader("X-FRAME-OPTIONS", mode );
}
+
    }
 
+
   
public void destroy() {
+
    public void destroy() {
}
+
    }
 
+
   
public void init(FilterConfig filterConfig) throws ServletException {
+
    public void init(FilterConfig filterConfig) {
}
+
        String configMode = filterConfig.getInitParameter("mode");
+
        if ( configMode != null ) {
 +
            mode = configMode;
 +
        }
 +
    }
 +
   
 
}
 
}
  

Revision as of 13:38, 6 February 2009

Contents

Status

Released Feb 6, 2009

Overview

Clickjacking is an attack that tricks users by showing them an innocuous page but including the real controls from sensitive pages. These controls are disguised through the use of background frames that mask off everything except the control, so that the user can't tell that they are actually clicking on a sensitive function in some other website.

The primary defense to clickjacking is to prevent your pages from being framed. The typical approach to this is to include a "frame-breaker" script in every page that ensures that the content is not framed. Here's an example of such a script.

 <script>...

Microsoft has included a defense in IE8 that allows developers to specify that pages should not be framed. They use a new X-FRAME-OPTIONS header to mark responses that shouldn't be framed. There are two options with X-FRAME-OPTIONS. The first is DENY, which prevents everyone from framing the content. The other option is SAMEORIGIN, which only allows the current site to frame the content. Currently this works in IE8 RC1+, but will not affect users of other browsers until they decide to implement this feature. Firefox users may want to look at the protection in NoScript.

Approach

We'd like to add the X-FRAME-OPTIONS header to any pages that shouldn't be framed. So we could go into every servlet and JSP and add one of the two following lines of code:

 // to prevent all framing of this content
 response.addHeader( "X-FRAME-OPTIONS", "DENY" );
 
 // to allow framing of this content only by this site
 response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

However, this seems a bit intrusive and a lot of work. In this article, we'll implement a simple JavaEE filter to add the X-FRAME-OPTIONS header to some or all parts of your application.

Download

The source code (one file) and the compiled class file are in a single zip file.

NOT READY YET XXXXXX.zip DOWNLOAD

Setup

The first step is to add the filter to our application. All we have to do is put the ClickjackFilter class on our application's classpath, probably by putting it in the classes folder in WEB-INF. The class file should be in a folder structure that matches the package (org -> owasp -> filters -> ClickjackFilter). You can extract the class file from the zip file.

Then we just have to add the following filter definition and mapping to our web.xml. You should paste this in right above your servlet definitions. You should set up the mapping so it applies to any page that shouldn't be framed. Using /* will apply it to everything.

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>OWASP ClickjackFilter</display-name>
    <filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>
    
    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>
    
    <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping> 
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <!-- use the SameOrigin version to allow your application to frame, but nobody else
    <filter-mapping> 
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->
    
</web-app>


Source Code

/**
 *  Software published by the Open Web Application Security Project (http://www.owasp.org)
 *  This software is in the public domain with no warranty.
 *
 * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
 * @created    February 6, 2009
 */

package org.owasp.filters;
import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackFilter implements Filter 
{

    private String mode = "DENY";
    	
    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        chain.doFilter(request, response);
        res.addHeader("X-FRAME-OPTIONS", mode );			
    }
    
    public void destroy() {
    }
    
    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
    
}

Compile

There are not many dependencies here, just the standard Java EE environment. You can compile with:

 javac -classpath servlet-api.jar -d . *.java

Then just copy the 'org' folder that gets created to the WEB-INF/classes folder.