Troubleshooting
Problem
Some browsers have a known bug that leaks keyboard events across frame sets to allow an attacker to obtain data from browser windows or frames. To prevent a clickjacking attack, you must configure WebSphere Application Server to deny or limit access to InfoSphere Business Glossary frames.
Symptom
For example, in the home page of evil.com, the attacker registers some JavaScript that listens for all key events on the login page of example.com.
Typically, this listener would be notified of events only from the main page of evil.com. Due to the browser bug, this listener is also notified of events from the framed example.com page. As a result, every key stroke that the user makes in the login page of example.com can be captured by the attacker and reported back to evil.com.
Resolving The Problem
To prevent cross frame scripting, you must install the roll-up patch rollup_RU1_BG_all_9100-2 and then do the following steps:
- Log into WebSphere Integrated Solutions Console as the WebSphere Administrator user.
- In the left panel, open Servers, and then open Server Types. Click WebSphere application servers.
- In the Application servers table, click the server where InfoSphere Business Glossary is installed.
- Under Server Infrastructure, open Java and Process Management, and then click Process definition.
- Under Additional Properties, click Java Virtual Machine.
- Under Additional Properties, click Custom Properties.
- Click New. Complete these steps to create and apply a system configuration property:
- In the Name field, type bg.xFrameOptions.
- In the Value field, type in the X-Frame-Option HTTP response header that you need (for example: SAMEORIGIN).
- Click Apply, and then click OK.
- In the Messages window, click Save to save the new property when WebSphere Application Server is restarted.
- Stop and restart WebSphere Application Server.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21651543