cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Portal 7.31 Logon Page Clickjacking Vulnerability Question

sarah_bavousett
Participant

on ‎01-19-2016 10:43 PM

0 Kudos

Portal 7.31 Logon Page Clickjacking Vulnerability Question Our Internal Security has flagged our Portal Logon Page as having the Possibility of  Clickjacking Vulnerability. Security have stated the following: The web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. Note that while the X-Frame-Options response header is not the only mitigation for clickjacking, it is currently the most reliable method to detect through automation. I thought SAP handled Clickjacking thru the coding of JSP’s but I cannot find any documentation to show our Security people I would like to know if and how SAP handles clickjacking in the Portal Logon Page? I would like to know if it is possible and how I would change the  Portal Logon Page to include X-Frame-Options Any help on this matter would be greatly appreciated Thank you Sarah

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member185488
Participant
‎08-30-2016 8:43 AM
0 Kudos

Hi Sarah,

Please refer the note 2319727. SAP has given the steps to be performed in case of ABAP and JAVA for Clickjacking.

Regards,

Jegan Raj

Show replies
Show replies
stefan_mahnke
Participant
‎08-30-2016 9:02 AM
0 Kudos

Hi Jegan,

thanks for sharing! I think this is the right approach.

Regards Stefan

Former Member
‎08-30-2016 9:23 AM
0 Kudos

Nice one Jeganraj, thanks for sharing. Especially linked 2169722 is containing an important clue from my point of view:

"...Standard protection measures against Clickjacking (X-FRAME-OPTIONS header) are not suitable for common NetWeaver integration scenarios.

Therefore SAP is providing a whitelist based framework for NetWeaver technologies..."

Indeed, the 2319727 doesnt contains any specific informations, but rather is pointing to W3C etc... As I have mentioned you will need a concrete scenario, to be able to advise concrete measures

cheers

former_member330100
Explorer
‎08-25-2016 3:42 PM
0 Kudos

Hello,

We are experience similar issue with 7.3 and 7.4. Did you get any reply or update on this?

Thanks

Heather

Show replies
Show replies
Former Member
‎08-25-2016 3:56 PM
0 Kudos 


Heather Korycinski wrote:




Hello,


We are experience similar issue with 7.3 and 7.4. Did you get any reply or update on this?




Thanks


Heather

response headers like those:

X-Frame-Options - HTTP | MDN

can be added by the infrastructure, a reverse proxy e.g.

Prevention in genrally is well documented on wiki:

https://en.wikipedia.org/wiki/Clickjacking

As far I understood a scenario can be JS overlapping e.g., so your ep logon page is attacked by something, that tries to steal credentials e.g.

What is your concrete question resp exact scenario you are asking for?

cheers

stefan_mahnke
Participant
‎08-25-2016 4:38 PM
0 Kudos

Hi,

we are also struggeling with this. Isn't there an option to add this through the web dispatcher. I tried to add the header field as described in here

Defining Modification Actions - SAP Web Dispatcher - SAP Library

but it didn't worked.

Regards Stefan

Former Member
‎08-30-2016 8:35 AM
0 Kudos

Stefan, this is in fact another story imho, since you already obviously understood what the problem exactly is and how to avoid it. What you have here are problems on know how for SAP web dispatcher. From your problem description Im not clear what is meant with "but it didn't worked". I would suggest you to take a look here e.g.: resp describe your problems in the right section of SCN: your question is in fact an infrastructure question and is barely related to EP.

However, Im still not clear what your exact scenario is, since no one in this thread is describing the exact problem resp. a reproducing sequence

cheers

Ask a Question