IBM Support

Web Application is susceptible to Clickjacking (User Interface Redress Attack)

Troubleshooting


Problem

The Web application is susceptible to UI overlay attacks allowing the users click attempts to be under the control of an attacker and the requests forwarded to a new location. Note: only the unauthenticated login pages were tested: a live node and credentials were not provisioned for testing.

Cause

https://www.ibm.com/support/pages/clickjacking-through-x-frame-option-header

If we do not have some of these values set, the scan will tell us there is a vulnerability.

There are three possible values for the X-Frame-Options header:
1. DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
2. SAMEORIGIN, which only allows the current site to frame the content.
3. ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com) Check Limitations Below this will fail open if the browser does not support it.

Diagnosing The Problem

Steps to Reproduce:
1. Save attached file and Double-click
2. Observe that Control Center Direct Browser User Interface application login page is loaded within the frame of a page from another domain.

Resolving The Problem

  1. Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages ...

    Upgrade IBM Control Center to v6.1.2.0 base or higher.

    Fix is not available prior to v6.1.2.0.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9GLA","label":"IBM Control Center"},"Component":"WebSphere Liberty","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF043","label":"Red Hat"},{"code":"PF048","label":"SUSE"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
17 January 2023

UID

ibm10959885

Page Feedback