How to prevent Clickjacking in MicroStrategy Web 9.4.1
I came across below tech note shared by MicroStrategy to address UI redress attack. I thought it will be helpful for users who are facing similar issue in their real time projects..
Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden/invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
Clickjacking, also called a UI redress attack, is a form of security attack in which an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. In other words, the attacker is hijacking clicks meant for a legitimate page and routing them to another page, most likely owned by another application, domain, or both. For example, an attacker may load the login page of a trusted website into an invisible iframe to trick a user into typing their user name and password into the invisible frame. It is important to mention that clickjacking is a browser security vulnerability and not a MicroStrategy vulnerability, that can be avoided by adding certain headers or scripts to the responses issued by the web application server.
MicroStrategy Web 9.4.1 introduced two new settings to force the application server to add the necessary headers to address this issue. They can be found in the MicroStrategy Web 9.4.1 Admin page under Security and located at the bottom of the page, like shown below.
- Prevent clickjacking by adding a frame-breaking script to pages:
Select this option to prevent the page from being incorporated into a frame or iframe using a script that forces the parent window to load theURL of the current frame. This option is supported in all web browsers and preserves all of the page’s content. However, portals are not supported using this option, as the portal contents will replace the parent window.
- Prevent clickjacking by adding an X-Frame-Options header to page responses:
X-Frame-Options is an HTTP response header sent by the Web Application Server to tell web browsers under what conditions the contents of a page should be allowed to load within a frame. Browsers that understand the header will not display the contents of the page if the conditions are violated. However, if the user is on a non-secure or unfamiliar network, attackers may be able to use a proxy to strip the header. This option is supported by Internet Explorer 8+, Safari 4+, Chrome 4+, and Firefox 3.6+. Select one of the following:
Select this option to allow the page to load in a frame if the page and the frame attempting to load the page share the same domain. This option accommodates portals coming from the same domain, and provides attackers with less chances to find a workaround. However, requests from cross-domain portals will be denied. If using portals, the portal server must be located under the same domain as the MicroStrategy Web server that is serving the content.
- Set X-Frame-Option to SAMEORIGIN:
- Set X-Frame-Options to DENY:
Select this option to prevent the page from being loaded if it will be displayed inside a frame, regardless of the domain in which the frame is located.
It is important to mention that all these security measures are enforced by the Web Browser. The X-Frame header can also be implemented directly on the web application server as explained in the following Microsoft Technical Note: http://support.microsoft.com/kb/2694329.
Note: Refer to Microsoft Support for more information on the settings for Internet Information Services.