Skip to Content
author's profile photo Sarah Bavousett
0
Sarah Bavousett

Portal 7.31 Logon Page Clickjacking Vulnerability Question

Posted on Jan 19, 2016 at 10:43 PM 310 Views

Portal 7.31 Logon Page Clickjacking Vulnerability Question Our Internal Security has flagged our Portal Logon Page as having the Possibility of Clickjacking Vulnerability. Security have stated the following: The web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. Note that while the X-Frame-Options response header is not the only mitigation for clickjacking, it is currently the most reliable method to detect through automation. I thought SAP handled Clickjacking thru the coding of JSP’s but I cannot find any documentation to show our Security people I would like to know if and how SAP handles clickjacking in the Portal Logon Page? I would like to know if it is possible and how I would change the Portal Logon Page to include X-Frame-Options Any help on this matter would be greatly appreciated Thank you Sarah

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • author's profile photo JEGANRAJ R
    JEGANRAJ R
    Posted on Aug 30, 2016 at 07:43 AM
    1

    Hi Sarah,

    Please refer the note 2319727. SAP has given the steps to be performed in case of ABAP and JAVA for Clickjacking.

    Regards,

    Jegan Raj

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member
      Aug 30, 2016 at 08:23 AM

      Nice one Jeganraj, thanks for sharing. Especially linked 2169722 is containing an important clue from my point of view:

      "...Standard protection measures against Clickjacking (X-FRAME-OPTIONS header) are not suitable for common NetWeaver integration scenarios.

      Therefore SAP is providing a whitelist based framework for NetWeaver technologies..."

      Indeed, the 2319727 doesnt contains any specific informations, but rather is pointing to W3C etc... As I have mentioned you will need a concrete scenario, to be able to advise concrete measures

      cheers

    Comment on This Answer
  • author's profile photo Heather Korycinski
    Heather Korycinski
    Posted on Aug 25, 2016 at 02:42 PM
    0

    Hello,

    We are experience similar issue with 7.3 and 7.4. Did you get any reply or update on this?

    Thanks

    Heather

    Add a comment
    10|10000 characters needed characters exceeded

    Comment on This Answer

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.