Copy link to clipboard
Copied
I created a cfm template with below contents to test clickjacking issue.
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe>
</body>
</html>
And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.
Is there any way to prevent clickjacking issue via CF admin/application code.
In fact, on reviewing this, I think your above filter should be something like
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/mer/nao/app_v4/*</url-pattern>
</filter-mapping>
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
I created a cfm template with below contents to test clickjacking issue.
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe>
</body>
</html>
And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.
Right, potentially. However, the question only makes sense if https://abcd.rw.xyz.com/mer/nao/app_v4/ is in your site. For example, if you replace that URL with http://www.google.com, you will find that no content will be displayed. You can interpret this to mean that Google has taken some precautions against clickjacking. I will therefore assume that the site you wish to protect is your own.
Clickjacking involves at least 3 parties: you (the Coldfusion site you wish to protect), the clickjacker (the foreign site that intends using the malicious frames) and the client (the initial target or victim, usually the browser). The attacker's aim is to manipulate the browser into an illegitimate interaction with your site. As the browser is where the vulnerability is, it is also where the defence has to be. That defence is in a form that all browsers understand: headers or Javascript.
Coldfusion has a new security setting especially to counteract clickjacking. It is configured in /WEB-INF/web.xml, and enables ColdFusion to send X-Frame-Options headers to the browser. As the documentation shows, you can enable it on the whole site, or on a per-mapping basis. For example, the following filter will prevent the kind of clickjacking you mention, for every request to your site:
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
You could alternatively use Javascript on the pages you wish to protect. For examples, check out the Wikipedia on Framekillers.
Copy link to clipboard
Copied
In my config file I can see two filter-mapping settings as below.
<filter-name>FusionReactor</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.
-->
<!-- ==================== Built In Filter Mappings ====================== -->
<!-- The mapping for the SSI Filter -->
<!--
<filter-mapping>
<filter-name>ssi</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
-->
Here the second one is commented.
I have two questions here.
1]Can I add the mapping ( that you mentioned in your last post) any where in this config file (web.xml)?
2]No need to mention the domain name in the URL pattern that is as below?.
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>https://abcd.rw.xyz.com/mer/nao/app_v4/*</url-pattern>
</filter-mapping>
Copy link to clipboard
Copied
1) Make sure you are in the /WEB-INF/web.xml configuration file. It has a section for the clickjacking filter.
2) The pattern in my post (/*) stands for abcd.rw.xyz.com/*, where * is, as usual, the wildcard.
Copy link to clipboard
Copied
I have many cf instances in a server and each instance contain many applications. So , for me , the file which need to be modified would be as below.
/opt/coldfusion/{instance_name}/runtime/conf/web.xml.
Here I couldnt find any section for clickjacking filter instead I am able to see those two mappings as I mentioned in my last post.
Am I doing anything wrong??
Copy link to clipboard
Copied
Look in - just a guess - /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/
Copy link to clipboard
Copied
Here I can see below two settings.
<!-- CF ClickJacking deny protection Filter -->
<filter>
<filter-name>CFClickJackFilterDeny</filter-name>
<filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
<init-param>
<param-name>filter.class</param-name>
<param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<!-- CF ClickJacking same origiin protection Filter -->
<filter>
<filter-name>CFClickJackFilterSameOrigin</filter-name>
<filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
<init-param>
<param-name>filter.class</param-name>
<param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
But I cannot see a node like <filter-mapping> anywhere in the above two settings. Can you just confirm that any of these two settings are the right place??. If these are the correct place then I just need to add the url-pattern. Right??
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
Here I can see below two settings.
<!-- CF ClickJacking deny protection Filter -->
<filter>
<filter-name>CFClickJackFilterDeny</filter-name>
<filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
<init-param>
<param-name>filter.class</param-name>
<param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<!-- CF ClickJacking same origiin protection Filter -->
<filter>
<filter-name>CFClickJackFilterSameOrigin</filter-name>
<filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
<init-param>
<param-name>filter.class</param-name>
<param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
But I cannot see a node like <filter-mapping> anywhere in the above two settings. Can you just confirm that any of these two settings are the right place??. If these are the correct place then I just need to add the url-pattern. Right??
Right. Just add your own filter-mapping element underneath these 2 filters. Then restart ColdFusion!
Test using your original frame code. You may wish to experiment between the choices CFClickJackFilterSameOrigin and CFClickJackFilterDeny in the filter-mapping element that you add.
Copy link to clipboard
Copied
Ok. Suppose , If I am adding the filter-mapping as given below then I cannot use iframe anywhere in the site https://abcd.rw.xyz.com/mer/nao/app_v4/. Thats what it means. Right???.
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>https://abcd.rw.xyz.com/mer/nao/app_v4/*</url-pattern>
</filter-mapping>
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
Ok. Suppose , If I am adding the filter-mapping as given below then I cannot use iframe anywhere in the site https://abcd.rw.xyz.com/mer/nao/app_v4/. Thats what it means. Right???.
Right, but it means more. No one else could put your site in their IFrame!
Copy link to clipboard
Copied
Be aware that your filter, /abcd.rw.xyz.com/mer/nao/app_v4/*, is restrictive. For example, it wont apply to abcd.rw.xyz.com, abcd.rw.xyz.com/mer/ or abcd.rw.xyz.com/mer/nao/.
Copy link to clipboard
Copied
In fact, on reviewing this, I think your above filter should be something like
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/mer/nao/app_v4/*</url-pattern>
</filter-mapping>
Copy link to clipboard
Copied
I have modifed the config file by adding the filter. Will update you once I tested the changes. Currently I am not able to do this as the cf instance , where I am doing these changes , is down.
Copy link to clipboard
Copied
Thanks for the update. Out of curiosity, did the instance go down after you made the changes? If so, the changes might have been fatal.
Copy link to clipboard
Copied
Yes , its working fine....
BKBK wrote:
Thanks for the update. Out of curiosity, did the instance go down after you made the changes? If so, the changes might have been fatal.
I think No. The issue was the port connecting to this instance was not active.
I have one doubt here.
I need to prevent this clickjacking issue for another application as well. But I did this by adding one more filter-mapping . Can I achieve this by adding multiple url-patterns in a single filter-mapping?.If possible which is the best method?. Any idea?
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
I have one doubt here.
I need to prevent this clickjacking issue for another application as well. But I did this by adding one more filter-mapping . Can I achieve this by adding multiple url-patterns in a single filter-mapping?.If possible which is the best method?. Any idea?
It is more informative for us to discuss one issue at a time. Before moving to something else, please give us your feedback on the use of the clickjacking filter in web.xml as answer to your original question. At the moment, all we know is that you are unable to test anything because your server instance is down.
I think you will get a more fruitful discussion from the forum if you round off one topic before opening the next, however related the 2 topics may be. In fact, such a 'separation of concerns' will also make for more informative forum threads. A future reader may be interested in your original issue, but not in the next. Could you round off this thread and, if you wish, open another on multiple url-patterns?
Copy link to clipboard
Copied
I have clearly mentioned in my last post that its working fine. A future reader can easily understand this. Right???.
As you wish I will round off this thread and will open a new thread regarding multiple url patterns in a single filter mapping.
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
I have clearly mentioned in my last post that its working fine. A future reader can easily understand this. Right???.
I misunderstood that. I thought, by 'working fine', you meant your instance was up and running. I am glad to hear that your clickjacking defence is now in place.
Copy link to clipboard
Copied
np....
I am disturbing you again .... , if you dont mind , can you please have a look here Clickjacking issue - adding multiple url patterns in a single filter mapping
Copy link to clipboard
Copied
Please do continue! We all learn from the experiences you share with us.
Copy link to clipboard
Copied
Hi Abdul,
It is located at <cf_install_root>\cfusion\wwwroot\WEB-INF\web.xml configuration file.
Regards,
Nimit
Copy link to clipboard
Copied
Sumit ,
I think that the path should be /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/ as the server contains many cf instances in my case. So , as BKBK , I aslo guess that the path should contain the instance name as well. Correct me if I am wrong.
Copy link to clipboard
Copied
Yes, instance name should also be changed as per your configuration. In my case, It was "cfusion".
<filter-mapping> should also be there. Otherwise, you can add it as mentioned below:
<filter-mapping> |
<filter-name>CFClickJackFilterSameOrigin</filter-name>
<url-pattern><PATH></url-pattern>
</filter-mapping>
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
Sumit ,
I think that the path should be /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/ as the server contains many cf instances in my case. So , as BKBK , I aslo guess that the path should contain the instance name as well.
Correct. An instance holds a site, and you want the clickjacking filter to apply to just one site.