Cross Frame Scripting (XFS) - Click jacking vulnerability and Websphere Application Server applications.

Question & Answer

Question

How can I prevent my Websphere applications from the Cross Frame scripting vulnerability?

Cause

Cross Frame Scripting (XFS) - Click jacking vulnerability

Answer

Cross Frame Scripting-Click jacking - Cross Frame Scripting (XFS) is an attack that exploits the bug in specific browsers and captures the sensitive information from the legitimate users of the application. The attacker induces the browser for a user to navigate to a web page that the attacker controls, by loading a third-party page in an HTML frame and then the JavaScript executing in the attacker's page steals data from the third-party page.

There is no way to define a custom property for the WebContainer that specifies this header globally for all WebContainer responses in Websphere Application Server.

If you want to define the X-Frame-Options header for your applications, you have to do this in the servlet code. For example:

response.setHeader("X-Frame-Options","SAMEORIGIN");

See the following link for protecting from this vulnerability for you Apache HTTP server running on the IBM i:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1021854

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"WebSphere Application Server","Platform":[{"code":"","label":"iSeries"},{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB57","label":"Power"}}]

Tips

Cross Frame Scripting (XFS) - Click jacking vulnerability and Websphere Application Server applications.

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?