Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Return X-Frame-Options HTTP header to prevent x-frame scripting and clickjacking

Description

Following a security scan using nessus, a customer has requested that OpenNMS Return the X-Frame-Options HTTP header with the index.jsp page's response to prevent cross frame scripting and clickjacking
(for more info see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet)

I have fixed this issue using the standard jetty-rewrite jar
This issue is to create a patch for meridian 2016 so that rewrite option is available in standard distribution.

Download jetty-rewrite-7.6.15.v20140411.jar from http://mvnrepository.com/artifact/org.eclipse.jetty/jetty-rewrite/7.6.15.v20140411
dzdo cp jetty-rewrite-7.6.15.v20140411.jar /opt/opennms/lib/
change /opt/opennms/etc/jetty.xml

add /change following lines;

<!-- added X-Frame-Options to avoid clickjacking -->
<New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="rules">
<Array type="org.eclipse.jetty.rewrite.handler.Rule">
<Item>
<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Frame-Options</Set>
<Set name="value">SAMEORIGIN</Set>
</New>
</Item>
</Array>
</Set>
</New>

<Set name="handler">
<New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<Ref id="RewriteHandler" />
</Item>
<Item>
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection" />
</Item>
<Item>
<New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler" />
</Item>
</Array>
</Set>
</New>
</Set>

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Craig Gallen May 18, 2016 at 7:11 AM

pull request https://github.com/OpenNMS/opennms/pull/808 : changes to address clickjacking vulnerability

Craig Gallen May 16, 2016 at 9:11 AM
Edited

adding this configuration option in branch NMS-8393-foundation-2016 based on foundation-2016

documentation for fix added to OpenNMS wiki https://www.opennms.org/wiki/Nessus_Security_Fixes

Fixed

Details

Assignee

Reporter

Original estimate

Time tracking

No time logged5h remaining

Components

Fix versions

Affects versions

Priority

PagerDuty

Created May 3, 2016 at 10:27 AM
Updated June 28, 2016 at 3:45 PM
Resolved May 18, 2016 at 1:07 PM