Thursday, February 25, 2016

Clickjacking prevention using X Frame Options and J2EE Filter


1. What is Clickjacking.
It is also known as User Interface redress attack, UI redress attack, UI redressing
It is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms
2. How to prevent Clickjacking using Filter in java
Below example shows how Clickjacking will happens and how we can prevent the same.

Here I have created a Simple LoginServlet , after successful login, page will be redirected to success page.
Everyone knows how to create servlet and deploy the same. But still I am writing here to understand who have no idea how to create.
Step 1: Start eclipse
Step2: create a Dynamic Web Project -> clickjacking_prevention
Step3: first we need to create a login.jsp page, under Webcontent of the project
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>




Login page


    
User Name
Password
Step 4: Need to create a success page
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>




Login Success


    
Login Successful
You can construct page as you like

Step 5: Now we need to create a LoginServlet
package com.siva;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class LoginServlet extends HttpServlet{

 /**
  * 
  */
 private static final long serialVersionUID = 1L;

 public void doPost(HttpServletRequest request, HttpServletResponse response)
   throws ServletException, IOException {

  String username = request.getParameter("username");
  String password = request.getParameter("password");
  if("siva".equalsIgnoreCase(username)&& "raju".equalsIgnoreCase(password)){
   System.out.println("inside if condition");
   response.sendRedirect("loginSuccess.jsp");
  }
 }
}
Step 6: Now we need to do Configuration in web.xml for LoginServlet



  clickjacking_prevention
  
    login.jsp
   
  
    
  
    LoginServlet
    com.siva.LoginServlet
  
  
   LoginServlet
   /loginServlet
  

Step 7: Once this configuration done, Now we can run the project using any of the servers like Apache tomcat or Jboss.
You can use the http://localhost:8080/clickjacking_prevention/




It will open page like above and you can enter username as siva and password as raju, then submit,
You can redirected to loginSuccess page



Create a html file and provide name as you like and paste the below code.


  click jaking








Once we run this html file we can see the same data which is showed in the loginSuccess page


Step 10 : Now we can see the difference between above two images. One is url page and one is iframe constructed page, both are same.
So hacker can use this , and patch in your actual site and steal the data.
Now How to prevent this.
We need to add this code in our filter or jsp page.
response.addHeader("X-FRAME-OPTIONS", “DENY” );
Here I have written Filter to overcome clickjacking
package com.siva;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;



public class ClickjackingPreventionFilter implements Filter 
{
  private String mode = "DENY";
  
// Add X-FRAME-OPTIONS response header to tell any other browsers who   not to display this //content in a frame.
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
         HttpServletResponse res = (HttpServletResponse)response;
         res.addHeader("X-FRAME-OPTIONS", mode );   
         chain.doFilter(request, response);
     }
     public void destroy() {
     }
     
     public void init(FilterConfig filterConfig) {
         String configMode = filterConfig.getInitParameter("mode");
         if ( configMode != null ) {
             mode = configMode;
         }
     }
}


Step 11: Once Filter has completed now we need to add same filter configuration in web.xml file

        ClickjackPreventionFilterDeny
        com.siva.ClickjackingPreventionFilter
        
            modeDENY
    
    
    
     
        ClickjackPreventionFilterDeny
        /*
    

Once we have done configuration , you can run the same Iframe example again, you can see the below page without any content, it will show warning in IE and it will not show any details in other browser.



This is how we can prevent the clickjacking attacks.
Thank you for viewing the post.


36 comments:

  1. Hey it worked .. Thanks.. could you please let me know the better way to do that. I read some where that X-Frame-Option is deprecated. Is there any disadvantage of implementing using X-Frame-Option

    ReplyDelete
  2. why we can't use org.apache.catalina.filters.HttpHeaderSecurityFilter
    with web-app version="2.4"

    ReplyDelete
  3. I have to voice my passion for your kindness giving support to those
    Thanks for one marvelous posting! I enjoyed reading it; you are a great
    author. And i suggest for Java Training in chennai Visit Here: Best Java Training Institute in Chennai

    ReplyDelete
  4. Hope this blog helps me to enhance your knowledge. Thanks for posting!

    JAVA Training in Chennai

    JAVA Course

    ReplyDelete
  5. Such a Nice article.
    Trexeego is a most affordable service provider company in India. This is make safe and enjoyable journey and reached comfortably to your final destination. Trexeego offers best outstation taxi in India. Without hesitation you can contact me.
    Address- shop no- 17 upper ground floor, A Square mall, opp- Pan Oasis, Sarfabad
    Sector- 73, Noida, Uttar Predesh
    Pin code- 201301
    +91-7992315344
    Best Outstation Taxi in India

    ReplyDelete
  6. TreasureBox is operated by a group of young, passionate, and ambitious people that are working diligently towards the same goal - make your every dollar count, as we believe you deserve something better.
    Check out the best
    outdoor furniture covers nz
    body pillow nz

    ReplyDelete
  7. http://www.webtrackker.com/Salesforce-Training-Institute-in-Noida.php

    ReplyDelete
  8. Effective blog with a lot of information. I just Shared you the link below for Courses .They really provide good level of training and Placement,I just Had Oracle Classes in this institute,Just Check This Link You can get it more information about the Oracle course.


    Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

    ReplyDelete
  9. Marketing and Communications are on great demand. If you want to get your dream job in this field, then come to Talentedge. It provides you with the best source to find marketing and communication courses. Visit here for details

    ReplyDelete
  10. Visit Bharat Go Digital Academy to learn the digital marketing skills in India.

    ReplyDelete
  11. Neo Tokens er en måte du kan spare penger på hver gang du handler på nettbutikken vår! Ved vært kjøp samler du tokens som kan brukes til din neste handel!

    Visit here death note

    ReplyDelete
  12. thank you for this useful informations amd i found something is interesting here ! I like This post !
    Visit here :- Shapewear

    ReplyDelete
  13. thank you for this useful informations amd i found something is interesting here
    Website Web scraping

    ReplyDelete
  14. Ioanna Andrianopoulou, innehaver av Afrodite’s Beauty, er opprinnelig fra Hellas hvor hun har tatt sin utdanning, men har bott og arbeidet i Sverige og Norge de siste 7 årene. Hun har over 15 års erfaring i bransjen. Som kunde kan du altså føle deg trygg på at alle behandlinger blir utført på en proffesjonell måte. Website : pediky shellac i oslo

    ReplyDelete
  15. This post is very nice thanks for sharing. This website has very good content. This is exactly what I was looking for.
    skredder skøyen

    ReplyDelete
  16. med våre leverandører – de yter sitt ytterste for at vi skal kunne gi kunden den beste service, det beste produktet til den beste prisen!
    gullkjeder uten anheng

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. OSM Interiors is a full-service interior design company providing services such as architectural design, interior design, landscaping, and fit outs for both residential and commercial properties.
    interior designer hyderabad

    ReplyDelete
  19. This is very nice post.I’m happy to see some great article on your site.
    Visit here :- uceed coaching

    ReplyDelete
  20. I am Mohua, the food blogger. Cooking is my passion. I love learning new recipes and experiment them to make a new and unique dishes. I believe if you have a tasty food, your mood will be good.
    I have learnt many old recipes from my mother and grandmother and have given those recipes a modern touch. Anything we do by our heart always gives a positive result.
    Now a days I am looking forward to many new recipes from food articles, and recipe books of my grandmother. I have also found many new tricks and techniques by which you can prepare delicious recipes very easily. Here I am going to share all the things I have learnt. Hope you all will also enjoy this technique of cooking those recipes. Come again and again to learn more unique techniques and recipes.

    Visit here curd calories 1 cup

    ReplyDelete
  21. Your post was so much useful. Also check out our website for more information -:
    rental cars chennai

    ReplyDelete

AddToAny

Contact Form

Name

Email *

Message *