eXistdb : No X-FRAME-OPTIONS Header Vulnerability

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

eXistdb : No X-FRAME-OPTIONS Header Vulnerability

Bhargav, Himanshu

Hi All,


I have configured eXistDB at mortbay:jetty server on port :8090. I received  a Vulnerability "No X-FRAME-OPTIONS Header" on this server for port 8090. Looking help to resolve this vulnerability on this server.


Please find below description of the Vulnerability :


This host does not appear to utilize the benefits that the X-FRAME-OPTIONS HTTP header element offers. This header may be implemented to prevent pages on this system from being used in part of a click-jacking scenario. The X-FRAME-OPTIONS header specifies what systems (if any) are allowed to refer to pages on this system (when the page is to appear within a HTML frame type of object).


The Remediation has been given below but not succeed, how/Where to  apply changes to resolve this issue.


Consider utilizing the X-FRAME-OPTIONS header option to prevent click-jacking type of attacks


Looking for your reply to solve this Vulnerability on mortbay:jetty server on port :8090 for eXistdb.


Thanks & Regards,

Himanshu Bhargav



"This e-mail and any attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential , proprietary or privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this e-mail or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful."
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eXistdb : No X-FRAME-OPTIONS Header Vulnerability

Dannes Wessels-3
Hi,

On 17 Apr 2017, at 15:51 , Bhargav, Himanshu <[hidden email]> wrote:

I have configured eXistDB at mortbay:jetty server on port :8090.

what does this exactly mean? Did you setup your own jetty server?

D.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eXistdb : No X-FRAME-OPTIONS Header Vulnerability

Martin Holmes
In reply to this post by Bhargav, Himanshu
Hi Himanshu,

Your post encouraged me to try this:

   response:set-header('X-Frame-Options', 'DENY')

and it works fine:

   Date: Mon, 17 Apr 2017 22:39:43 GMT
   Server: Jetty(9.3.9.v20160517)
   x-frame-options: DENY
   Last-Modified: Tue, 11 Apr 2017 23:28:19 GMT
   Created: Tue, 11 Apr 2017 23:28:19 GMT
   Content-Type: text/html;charset=utf-8
   Vary: Accept-Encoding,User-Agent
   Content-Encoding: gzip
   200 OK

meaning that my site passes this test:

   <https://tools.geekflare.com/web-tools/x-frame-options-test>

which it previously failed. I added it into my controller.xql like this:

if ($exist:path eq '/') then
     (response:set-header('X-Frame-Options', 'DENY'),
     <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
      <forward url="{concat($exist:controller, '/data/index.htm')}"/>
     </dispatch>)

Thanks for the useful tip.

Cheers,
Martin

On 2017-04-17 06:51 AM, Bhargav, Himanshu wrote:

> Hi All,
>
>
> I have configured eXistDB at mortbay:jetty server on port :8090.
> I received  a Vulnerability "No X-FRAME-OPTIONS Header" on this server
> for port 8090. Looking help to resolve this vulnerability on this server.
>
>
> *Please find below description of the **Vulnerability :*
>
>
> This host does not appear to utilize the benefits that the
> X-FRAME-OPTIONS HTTP header element offers. This header may be
> implemented to prevent pages on this system from being used in part of a
> click-jacking scenario. The X-FRAME-OPTIONS header specifies what
> systems (if any) are allowed to refer to pages on this system (when the
> page is to appear within a HTML frame type of object).
>
>
> The Remediation has been given below but not succeed, how/Where to
>  apply changes to resolve this issue.
>
>
> Consider utilizing the X-FRAME-OPTIONS header option to prevent
> click-jacking type of attacks
>
>
> Looking for your reply to solve this Vulnerability on mortbay:jetty
> server on port :8090 for eXistdb.
>
>
> Thanks & Regards,
>
> Himanshu Bhargav
>
>
>
> "This e-mail and any attachments transmitted with it are for the sole
> use of the intended recipient(s) and may contain confidential ,
> proprietary or privileged information. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this
> e-mail or any action taken in reliance on this e-mail is strictly
> prohibited and may be unlawful."
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open
>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Loading...