23 Replies Latest reply on Sep 24, 2014 4:35 AM by BKBK

    How to prevent clickjacking issue in CF

    Abdul L Koyappayil Level 1

      I created a cfm template with below contents to test clickjacking issue.

       

      <html>

      <head>

      <title>Clickjack test page</title>

      </head>

      <body>

      <p>Website is vulnerable to clickjacking!</p>

      <iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe>

      </body>

      </html>

       

      And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.

       

      Is there any way to prevent clickjacking issue via CF admin/application code.

        • 1. Re: How to prevent clickjacking issue in CF
          BKBK Adobe Community Professional & MVP

          Abdul L Koyappayil wrote:

           

          I created a cfm template with below contents to test clickjacking issue.

           

          <html>

          <head>

          <title>Clickjack test page</title>

          </head>

          <body>

          <p>Website is vulnerable to clickjacking!</p>

          <iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe>

          </body>

          </html>

           

          And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.

          Right, potentially. However, the question only makes sense if https://abcd.rw.xyz.com/mer/nao/app_v4/ is in your site. For example, if you replace that URL with http://www.google.com, you will find that no content will be displayed. You can interpret this to mean that Google has taken some precautions against clickjacking. I will therefore assume that the site you wish to protect is your own.

           

          Clickjacking involves at least 3 parties: you (the Coldfusion site you wish to protect), the clickjacker (the foreign site that intends using the malicious frames) and the client (the initial target or victim, usually the browser). The attacker's aim is to manipulate the browser into an illegitimate interaction with your site. As the browser is where the vulnerability is, it is also where the defence has to be. That defence is in a form that all browsers understand: headers or Javascript.

           

          Coldfusion has a new security setting especially to counteract clickjacking. It is configured in /WEB-INF/web.xml, and enables ColdFusion to send X-Frame-Options headers to the browser. As the documentation shows, you can enable it on the whole site, or on a per-mapping basis.  For example, the following filter will prevent the kind of clickjacking you mention, for every request to your site:

           

          <filter-mapping>

          <filter-name>CFClickJackFilterDeny</filter-name>

          <url-pattern>/*</url-pattern>

          </filter-mapping>

           

          You could alternatively use Javascript on the pages you wish to protect. For examples, check out the Wikipedia on Framekillers.

          • 2. Re: How to prevent clickjacking issue in CF
            Abdul L Koyappayil Level 1

            In my config file I can see two filter-mapping settings as below.

             

            1.     <filter-mapping>

                              <filter-name>FusionReactor</filter-name>

                              <url-pattern>/*</url-pattern>

                        </filter-mapping>

             

               2.

                   -->

                          <!-- ==================== Built In Filter Mappings ====================== -->

                          <!-- The mapping for the SSI Filter -->

                          <!--

                          <filter-mapping>

                              <filter-name>ssi</filter-name>

                              <url-pattern>*.shtml</url-pattern>

                          </filter-mapping>

                   -->

             

            Here the second one is commented.

            I have two questions here.

             

            1]Can I add the mapping ( that you mentioned in your last post) any where in this config file (web.xml)?

            2]No need to mention the domain name in the URL pattern that is as below?.

             

                 <filter-mapping>

                      <filter-name>CFClickJackFilterDeny</filter-name>

                      <url-pattern>https://abcd.rw.xyz.com/mer/nao/app_v4/*</url-pattern>

                 </filter-mapping>

            • 3. Re: How to prevent clickjacking issue in CF
              BKBK Adobe Community Professional & MVP

              1) Make sure you are in the /WEB-INF/web.xml configuration file. It has a section for the clickjacking filter.

              2) The pattern in my post (/*) stands for abcd.rw.xyz.com/*, where * is, as usual, the wildcard.

              • 4. Re: How to prevent clickjacking issue in CF
                Abdul L Koyappayil Level 1

                I have many cf instances in a server and each instance contain many applications. So , for me , the file which need to be modified would be as below.

                 

                /opt/coldfusion/{instance_name}/runtime/conf/web.xml.

                 

                Here I couldnt find any section for clickjacking filter instead I am able to see those two mappings as I mentioned in my last post.

                 

                Am I doing anything wrong??

                • 5. Re: How to prevent clickjacking issue in CF
                  BKBK Adobe Community Professional & MVP

                  Look in - just a guess - /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/

                  • 6. Re: How to prevent clickjacking issue in CF
                    Sharma Nimit Adobe Employee

                    Hi Abdul,

                     

                    It is located at <cf_install_root>\cfusion\wwwroot\WEB-INF\web.xml configuration file.

                     

                    Regards,

                    Nimit

                    • 7. Re: How to prevent clickjacking issue in CF
                      Abdul L Koyappayil Level 1

                      Here I can see below two settings.

                       

                          <!-- CF ClickJacking deny protection Filter  -->

                          <filter>

                              <filter-name>CFClickJackFilterDeny</filter-name>

                              <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

                              <init-param>

                                  <param-name>filter.class</param-name>

                                  <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

                             </init-param>

                             <init-param>

                             <param-name>mode</param-name>

                                  <param-value>DENY</param-value>

                              </init-param>

                          </filter>

                       

                          <!-- CF ClickJacking same origiin protection Filter  -->

                          <filter>

                              <filter-name>CFClickJackFilterSameOrigin</filter-name>

                              <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

                              <init-param>

                                  <param-name>filter.class</param-name>

                                  <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

                          </init-param>

                          <init-param>

                          <param-name>mode</param-name>

                                  <param-value>SAMEORIGIN</param-value>

                              </init-param>

                          </filter>

                       

                      But I cannot see a node like <filter-mapping> anywhere in the above two settings. Can you just confirm that any of these two settings are the right place??. If these are the correct place then I just need to add the url-pattern. Right??

                      • 8. Re: How to prevent clickjacking issue in CF
                        Abdul L Koyappayil Level 1

                        Sumit ,

                         

                             I think that the path should be /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/ as the server contains many cf instances in my case. So , as BKBK , I aslo guess that the path should contain the instance name as well. Correct me if I am wrong.

                        • 9. Re: How to prevent clickjacking issue in CF
                          Sharma Nimit Adobe Employee

                          Yes, instance name should also be changed as per your configuration. In my case, It was "cfusion".

                           

                          <filter-mapping> should also be there. Otherwise, you can add it as mentioned below:

                           

                          <filter-mapping>

                                  <filter-name>CFClickJackFilterSameOrigin</filter-name>

                                  <url-pattern><PATH></url-pattern>

                              </filter-mapping>

                          • 10. Re: How to prevent clickjacking issue in CF
                            BKBK Adobe Community Professional & MVP

                            Abdul L Koyappayil wrote:

                             

                            Sumit ,

                             

                                 I think that the path should be /opt/coldfusion/{instance_name}/wwwroot/WEB-INF/ as the server contains many cf instances in my case. So , as BKBK , I aslo guess that the path should contain the instance name as well.

                            Correct. An instance holds a site, and you want the clickjacking filter to apply to just one site.

                            • 11. Re: How to prevent clickjacking issue in CF
                              BKBK Adobe Community Professional & MVP

                              Abdul L Koyappayil wrote:

                               

                              Here I can see below two settings.

                               

                                  <!-- CF ClickJacking deny protection Filter  -->

                                  <filter>

                                      <filter-name>CFClickJackFilterDeny</filter-name>

                                      <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

                                      <init-param>

                                          <param-name>filter.class</param-name>

                                          <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

                                     </init-param>

                                     <init-param>

                                     <param-name>mode</param-name>

                                          <param-value>DENY</param-value>

                                      </init-param>

                                  </filter>

                               

                                  <!-- CF ClickJacking same origiin protection Filter  -->

                                  <filter>

                                      <filter-name>CFClickJackFilterSameOrigin</filter-name>

                                      <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>

                                      <init-param>

                                          <param-name>filter.class</param-name>

                                          <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>

                                  </init-param>

                                  <init-param>

                                  <param-name>mode</param-name>

                                          <param-value>SAMEORIGIN</param-value>

                                      </init-param>

                                  </filter>

                               

                              But I cannot see a node like <filter-mapping> anywhere in the above two settings. Can you just confirm that any of these two settings are the right place??. If these are the correct place then I just need to add the url-pattern. Right??

                               

                              Right. Just add your own filter-mapping element underneath these 2 filters. Then restart ColdFusion!

                               

                              Test using your original frame code. You may wish to experiment between the choices CFClickJackFilterSameOrigin and CFClickJackFilterDeny in the filter-mapping element that you add.

                              • 12. Re: How to prevent clickjacking issue in CF
                                Abdul L Koyappayil Level 1

                                Ok. Suppose , If I am adding the filter-mapping as given below then I cannot use iframe anywhere in the site https://abcd.rw.xyz.com/mer/nao/app_v4/. Thats what it means. Right???.

                                 

                                       <filter-mapping>

                                          <filter-name>CFClickJackFilterDeny</filter-name>

                                          <url-pattern>https://abcd.rw.xyz.com/mer/nao/app_v4/*</url-pattern>

                                      </filter-mapping>

                                • 13. Re: How to prevent clickjacking issue in CF
                                  BKBK Adobe Community Professional & MVP

                                  Abdul L Koyappayil wrote:

                                   

                                  Ok. Suppose , If I am adding the filter-mapping as given below then I cannot use iframe anywhere in the site https://abcd.rw.xyz.com/mer/nao/app_v4/. Thats what it means. Right???.

                                  Right, but it means more. No one else could put your site in their IFrame!

                                  • 14. Re: How to prevent clickjacking issue in CF
                                    BKBK Adobe Community Professional & MVP

                                    Be aware that your filter, /abcd.rw.xyz.com/mer/nao/app_v4/*, is restrictive. For example, it wont apply to abcd.rw.xyz.com, abcd.rw.xyz.com/mer/ or abcd.rw.xyz.com/mer/nao/.

                                    • 15. Re: How to prevent clickjacking issue in CF
                                      BKBK Adobe Community Professional & MVP

                                      In fact, on reviewing this, I think your above filter should be something like

                                       

                                      <filter-mapping>

                                                <filter-name>CFClickJackFilterDeny</filter-name>

                                                <url-pattern>/mer/nao/app_v4/*</url-pattern>

                                      </filter-mapping>

                                      • 16. Re: How to prevent clickjacking issue in CF
                                        Abdul L Koyappayil Level 1

                                        I have modifed the config file by adding the filter. Will update you once I tested the changes. Currently I am not able to do this as the cf instance , where I am doing these changes , is down.

                                        • 17. Re: How to prevent clickjacking issue in CF
                                          BKBK Adobe Community Professional & MVP

                                          Thanks for the update. Out of curiosity, did the instance go down after you made the changes? If so, the changes might have been fatal.

                                          • 18. Re: How to prevent clickjacking issue in CF
                                            Abdul L Koyappayil Level 1

                                            Yes , its working fine....

                                             

                                            BKBK wrote:

                                             

                                            Thanks for the update. Out of curiosity, did the instance go down after you made the changes? If so, the changes might have been fatal.

                                            I think No. The issue was the port connecting to this instance was not active.

                                             

                                            I have one doubt here.

                                            I need to prevent this clickjacking issue for another application as well. But I did this by adding one more filter-mapping . Can I achieve this by adding multiple url-patterns in a single filter-mapping?.If possible which is the best method?. Any idea?

                                            • 19. Re: How to prevent clickjacking issue in CF
                                              BKBK Adobe Community Professional & MVP

                                              Abdul L Koyappayil wrote:

                                               

                                              I have one doubt here.

                                              I need to prevent this clickjacking issue for another application as well. But I did this by adding one more filter-mapping . Can I achieve this by adding multiple url-patterns in a single filter-mapping?.If possible which is the best method?. Any idea?

                                              It is more informative for us to discuss one issue at a time. Before moving to something else, please give us your feedback on the use of the clickjacking filter in web.xml as answer to your original question. At the moment, all we know is that you are unable to test anything because your server instance is down.

                                               

                                              I think you will get a more fruitful discussion from the forum if you round off one topic before opening the next, however related the 2 topics may be. In fact, such a 'separation of concerns' will also make for more informative forum threads. A future reader may be interested in your original issue, but not in the next. Could you round off this thread and, if you wish, open another on multiple url-patterns?

                                              • 20. Re: How to prevent clickjacking issue in CF
                                                Abdul L Koyappayil Level 1

                                                I have clearly mentioned in my last post that its working fine. A future reader can easily understand this. Right???.

                                                 

                                                As you wish I will round off this thread and will open a new thread regarding multiple url patterns in a single filter mapping.

                                                • 21. Re: How to prevent clickjacking issue in CF
                                                  BKBK Adobe Community Professional & MVP

                                                  Abdul L Koyappayil wrote:

                                                   

                                                  I have clearly mentioned in my last post that its working fine. A future reader can easily understand this. Right???.

                                                  I misunderstood that. I thought, by 'working fine', you meant your instance was up and running. I am glad to hear that your clickjacking defence is now in place.

                                                  • 22. Re: How to prevent clickjacking issue in CF
                                                    Abdul L Koyappayil Level 1

                                                    np....

                                                     

                                                    I am disturbing you again .... , if you dont mind , can you please have a look here Clickjacking issue - adding multiple url patterns in a single filter mapping

                                                    • 23. Re: How to prevent clickjacking issue in CF
                                                      BKBK Adobe Community Professional & MVP

                                                      Please do continue! We all learn from the experiences you share with us.