• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

How to prevent clickjacking issue in CF

Explorer ,
Sep 17, 2014 Sep 17, 2014

Copy link to clipboard

Copied

I created a cfm template with below contents to test clickjacking issue.

<html>

<head>

<title>Clickjack test page</title>

</head>

<body>

<p>Website is vulnerable to clickjacking!</p>

<iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe>

</body>

</html>

And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.

Is there any way to prevent clickjacking issue via CF admin/application code.

Views

4.8K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Sep 23, 2014 Sep 23, 2014

In fact, on reviewing this, I think your above filter should be something like

<filter-mapping>

          <filter-name>CFClickJackFilterDeny</filter-name>

          <url-pattern>/mer/nao/app_v4/*</url-pattern>

</filter-mapping>

Votes

Translate

Translate
Community Expert ,
Sep 20, 2014 Sep 20, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

I created a cfm template with below contents to test clickjacking issue.

<html>

<head>

<title>Clickjack test page</title>

</head>

<body>

<p>Website is vulnerable to clickjacking!</p>

<iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe>

</body>

</html>

And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.

Right, potentially. However, the question only makes sense if https://abcd.rw.xyz.com/mer/nao/app_v4/ is in your site. For example, if you replace that URL with http://www.google.com, you will find that no content will be displayed. You can interpret this to mean that Google has taken some precautions against clickjacking. I will therefore assume that the site you wish to protect is your own.

Clickjacking involves at least 3 parties: you (the Coldfusion site you wish to protect), the clickjacker (the foreign site that intends using the malicious frames) and the client (the initial target or victim, usually the browser). The attacker's aim is to manipulate the browser into an illegitimate interaction with your site. As the browser is where the vulnerability is, it is also where the defence has to be. That defence is in a form that all browsers understand: headers or Javascript.

Coldfusion has a new security setting especially to counteract clickjacking. It is configured in /WEB-INF/web.xml, and enables ColdFusion to send X-Frame-Options headers to the browser. As the documentation shows, you can enable it on the whole site, or on a per-mapping basis.  For example, the following filter will prevent the kind of clickjacking you mention, for every request to your site:

<filter-mapping>

<filter-name>CFClickJackFilterDeny</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

You could alternatively use Javascript on the pages you wish to protect. For examples, check out the Wikipedia on Framekillers.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

In my config file I can see two filter-mapping settings as below.

  1.     <filter-mapping>

                  <filter-name>FusionReactor</filter-name>

                  <url-pattern>/*</url-pattern>

            </filter-mapping>

   2.

       -->

              <!-- ==================== Built In Filter Mappings ====================== -->

              <!-- The mapping for the SSI Filter -->

              <!--

              <filter-mapping>

                  <filter-name>ssi</filter-name>

                  <url-pattern>*.shtml</url-pattern>

              </filter-mapping>

       -->

Here the second one is commented.

I have two questions here.

1]Can I add the mapping ( that you mentioned in your last post) any where in this config file (web.xml)?

2]No need to mention the domain name in the URL pattern that is as below?.

     <filter-mapping>

          <filter-name>CFClickJackFilterDeny</filter-name>

          <url-pattern>https://abcd.rw.xyz.com/mer/nao/app_v4/*</url-pattern>

     </filter-mapping>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

1) Make sure you are in the /WEB-INF/web.xml configuration file. It has a section for the clickjacking filter.

2) The pattern in my post (/*) stands for abcd.rw.xyz.com/*, where * is, as usual, the wildcard.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

I have many cf instances in a server and each instance contain many applications. So , for me , the file which need to be modified would be as below.

/opt/coldfusion/{instance_name}/runtime/conf/web.xml.

Here I couldnt find any section for clickjacking filter instead I am able to see those two mappings as I mentioned in my last post.

Am I doing anything wrong??

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Look in - just a guess - /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Here I can see below two settings.

    <!-- CF ClickJacking deny protection Filter  -->

    <filter>

        <filter-name>CFClickJackFilterDeny</filter-name>

        <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

        <init-param>

            <param-name>filter.class</param-name>

            <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

       </init-param>

       <init-param>

       <param-name>mode</param-name>

            <param-value>DENY</param-value>

        </init-param>

    </filter>

    <!-- CF ClickJacking same origiin protection Filter  -->

    <filter>

        <filter-name>CFClickJackFilterSameOrigin</filter-name>

        <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

        <init-param>

            <param-name>filter.class</param-name>

            <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

    </init-param>

    <init-param>

    <param-name>mode</param-name>

            <param-value>SAMEORIGIN</param-value>

        </init-param>

    </filter>

But I cannot see a node like <filter-mapping> anywhere in the above two settings. Can you just confirm that any of these two settings are the right place??. If these are the correct place then I just need to add the url-pattern. Right??

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Here I can see below two settings.

    <!-- CF ClickJacking deny protection Filter  -->

    <filter>

        <filter-name>CFClickJackFilterDeny</filter-name>

        <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

        <init-param>

            <param-name>filter.class</param-name>

            <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

       </init-param>

       <init-param>

       <param-name>mode</param-name>

            <param-value>DENY</param-value>

        </init-param>

    </filter>

    <!-- CF ClickJacking same origiin protection Filter  -->

    <filter>

        <filter-name>CFClickJackFilterSameOrigin</filter-name>

        <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

        <init-param>

            <param-name>filter.class</param-name>

            <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

    </init-param>

    <init-param>

    <param-name>mode</param-name>

            <param-value>SAMEORIGIN</param-value>

        </init-param>

    </filter>

But I cannot see a node like <filter-mapping> anywhere in the above two settings. Can you just confirm that any of these two settings are the right place??. If these are the correct place then I just need to add the url-pattern. Right??

Right. Just add your own filter-mapping element underneath these 2 filters. Then restart ColdFusion!

Test using your original frame code. You may wish to experiment between the choices CFClickJackFilterSameOrigin and CFClickJackFilterDeny in the filter-mapping element that you add.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Ok. Suppose , If I am adding the filter-mapping as given below then I cannot use iframe anywhere in the site https://abcd.rw.xyz.com/mer/nao/app_v4/. Thats what it means. Right???.

       <filter-mapping>

          <filter-name>CFClickJackFilterDeny</filter-name>

          <url-pattern>https://abcd.rw.xyz.com/mer/nao/app_v4/*</url-pattern>

      </filter-mapping>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Ok. Suppose , If I am adding the filter-mapping as given below then I cannot use iframe anywhere in the site https://abcd.rw.xyz.com/mer/nao/app_v4/. Thats what it means. Right???.

Right, but it means more. No one else could put your site in their IFrame!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Be aware that your filter, /abcd.rw.xyz.com/mer/nao/app_v4/*, is restrictive. For example, it wont apply to abcd.rw.xyz.com, abcd.rw.xyz.com/mer/ or abcd.rw.xyz.com/mer/nao/.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 23, 2014 Sep 23, 2014

Copy link to clipboard

Copied

In fact, on reviewing this, I think your above filter should be something like

<filter-mapping>

          <filter-name>CFClickJackFilterDeny</filter-name>

          <url-pattern>/mer/nao/app_v4/*</url-pattern>

</filter-mapping>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 23, 2014 Sep 23, 2014

Copy link to clipboard

Copied

I have modifed the config file by adding the filter. Will update you once I tested the changes. Currently I am not able to do this as the cf instance , where I am doing these changes , is down.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 23, 2014 Sep 23, 2014

Copy link to clipboard

Copied

Thanks for the update. Out of curiosity, did the instance go down after you made the changes? If so, the changes might have been fatal.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 23, 2014 Sep 23, 2014

Copy link to clipboard

Copied

Yes , its working fine....

BKBK wrote:

Thanks for the update. Out of curiosity, did the instance go down after you made the changes? If so, the changes might have been fatal.

I think No. The issue was the port connecting to this instance was not active.

I have one doubt here.

I need to prevent this clickjacking issue for another application as well. But I did this by adding one more filter-mapping . Can I achieve this by adding multiple url-patterns in a single filter-mapping?.If possible which is the best method?. Any idea?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 24, 2014 Sep 24, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

I have one doubt here.

I need to prevent this clickjacking issue for another application as well. But I did this by adding one more filter-mapping . Can I achieve this by adding multiple url-patterns in a single filter-mapping?.If possible which is the best method?. Any idea?

It is more informative for us to discuss one issue at a time. Before moving to something else, please give us your feedback on the use of the clickjacking filter in web.xml as answer to your original question. At the moment, all we know is that you are unable to test anything because your server instance is down.

I think you will get a more fruitful discussion from the forum if you round off one topic before opening the next, however related the 2 topics may be. In fact, such a 'separation of concerns' will also make for more informative forum threads. A future reader may be interested in your original issue, but not in the next. Could you round off this thread and, if you wish, open another on multiple url-patterns?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 24, 2014 Sep 24, 2014

Copy link to clipboard

Copied

I have clearly mentioned in my last post that its working fine. A future reader can easily understand this. Right???.

As you wish I will round off this thread and will open a new thread regarding multiple url patterns in a single filter mapping.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 24, 2014 Sep 24, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

I have clearly mentioned in my last post that its working fine. A future reader can easily understand this. Right???.

I misunderstood that. I thought, by 'working fine', you meant your instance was up and running. I am glad to hear that your clickjacking defence is now in place.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 24, 2014 Sep 24, 2014

Copy link to clipboard

Copied

np....

I am disturbing you again .... , if you dont mind , can you please have a look here Clickjacking issue - adding multiple url patterns in a single filter mapping

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 24, 2014 Sep 24, 2014

Copy link to clipboard

Copied

LATEST

Please do continue! We all learn from the experiences you share with us.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Hi Abdul,

It is located at <cf_install_root>\cfusion\wwwroot\WEB-INF\web.xml configuration file.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Sumit ,

     I think that the path should be /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/ as the server contains many cf instances in my case. So , as BKBK , I aslo guess that the path should contain the instance name as well. Correct me if I am wrong.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Yes, instance name should also be changed as per your configuration. In my case, It was "cfusion".

<filter-mapping> should also be there. Otherwise, you can add it as mentioned below:

<filter-mapping>

        <filter-name>CFClickJackFilterSameOrigin</filter-name>

        <url-pattern><PATH></url-pattern>

    </filter-mapping>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 22, 2014 Sep 22, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Sumit ,

     I think that the path should be /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/ as the server contains many cf instances in my case. So , as BKBK , I aslo guess that the path should contain the instance name as well.

Correct. An instance holds a site, and you want the clickjacking filter to apply to just one site.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation