Disable Cross-Frame Scripting (XFS) for pages delivered by the Access Gateway Embedded Service Provider ( nesp )

  • 7017550
  • 28-Apr-2016
  • 02-May-2016

Environment

  • NetIQ Access Manager 4.1
  • NetIQ Access Manager 4.2

Situation

  • calling pages delivered by the NESP server  from within an HTML iframe is possible with the default NIDP server configuration

  • Note: this has usually a very low impact as the delivered pages are not used for the user login process. In most of the cases they are only getting used for reporting error messages

  • In order to avoid a possible Cross-Frame Scripting (XFS) attack a web service can add the HTTP "X-Frame-Options" response header.as defined by rfc7034

Resolution

There are two option which allow to add a solution for the Access Gateway

  1. - ssh into your Access Gateway server
    - modify the: "/opt/novell/nesp/lib/webapp/WEB-INF/web.xml using the editor of your choice
    - add the following tomcat filter configuration below any existing filter configurations

    <filter>

        <filter-name>TomcatSameOriginFilter</filter-name>

        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

        <init-param>

            <param-name>antiClickJackingOption</param-name>

            <param-value>SAMEORIGIN</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>TomcatSameOriginFilter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

    - restart your embedded service provider: "/etc/init.d/novell-mag restart"

  2. Use the Apache "mod_header" module to add the required header

    • open the  "/etc/opt/novell/apache2/conf/httpd.conf" on your Access Gateway with an editor of you choice
    • remove the "#" in front of "LoadModule headers_module libexec/mod_headers.so" in order to enable loading the module
    • Add the following Apache directived from with iManager on your global "Advanced Options" menu

      <LocationMatch "/nesp">
         Header always append X-Frame-Options SAMEORIGIN
      </LocationMatch>

Additional Information

The HttpHeaderSecurityFilter class has been added to Tomcat Version 7.0.63. Any previous versions of tomcat are not shipped with this filter