EP: Portal & Clickjacking – A Hidden Relationship?
In the modern world of computing and IT Security is perhaps one of the important aspects of assured business practices and conformance to business practices. Without necessary security measures and protection mechanisms as we know the consequences can be consequential in all walks of life and the Enterprise Portal is no different. In my experience with the Enterprise Portal I’ve dealt with many different scenarios in which customers have been performed security scans and updates in a bid to identify vulnerabilities and make correction measures were necessary. Such processes are encouraged as they help ensure Portal Environments are fined tuned when it comes to protection against harmful and malicious threats from diverse sources.
What is Clickjacking
Clickjacking is something I’ve seen noted by customers on multiple occasions as a result of running vulnerability scans. In true essence click-jacking is essentially a clever means of tricking users into performing hidden actions through disguised links and context elements.
Clickjacking – Protection Step 1
If you have conversed with SAP you will be aware of the important of the latest Patch Level Release & Support Package implementation. Applying the latest Patch Levels & SP’s provide resolutions into easily avoidable issues and offer preventive measures against potential issues. In terms of “potential issues” this can indeed include security breaches and threats therefore the recommendation is always to ensure the latest SP’s & Patches have been applied.
- Patches & SP’s: https://support.sap.com/software.html
Clickjacking – Protection Step 2
Now if you run security & authorization checks from a Portal perspective you may come across possible concerns across a wide range of Portal Component areas and in many cases these have to be checked independently. In this case we are going to try and lay the foundation (following Step 1) to ensure we have a solid Clickjacking protection setup in place. Here we are essentially implementing preventive measure guidelines to ensure your Portal setup and environment has the correct security settings.
A core aspect to click-jacking protection is the surrounding platform in which the Portal operates which is the Browser.
From the Portal’s perspective in terms of intended utilization it is of vital importance that the Web Browser Platform being used is supported from SAP’s perspective. In order to support optimal browser performance you will need to ensure that the current Product Version being utilized (IE, Chrome, Firefox, Safari) supports your NW Version and vice versa. In relation to optimal browser performance here I am making reference to two difference aspects:
- Rendering: how the presentation is presented to the end user in terms of EP components & elements
- Security & Navigation: functionality setup and essentially “click-ability” and “select-ability”
The primary means of checking whether or not your present Web Browser Platform version is supported is through the SAP PAM or Product Availability Matrix. On the PAM we are given insight into which different Product Versions support Web Browser Versions and vice-versa. The PAM will also provide an informative outlined into the limitations (if any) which may exist which a potentially unsupported setup.
- Access the PAM: https://support.sap.com/pam
Although we can refer to the risk of using an supported Browser Platform as a lack of common sense in many cases we inadvertently open ourselves up to potential threats. For example if you are using standardized company software and are participating in a project perhaps you want to make use of a free software to offer an extra degree of detail to your project. This could be anything from grammatical process setups or perhaps a graphical generation software.
If you have experiencing with downloading any software program you would have encountered the launch program and .exe files on many occasions. Here we often navigate quickly through the launch tool as we only want to make use of the final product. In doing so we might accidentally install a host of third party tools such as browser plugins, and toolbar setups. In true essence you are never quit sure as to what you are downloading if not from a trusted source. Upon downloading any third party software even for temporary use inadvertently you could be installing spyware and phishing mechanism to which you are “none the wiser”.
The recommendation is to install only what is supported and seek consultation from Admins regarding any potential queries you may have regarding the intended utilization of programs or tools which may not be available as standard in an organizational setup.
Combining Protection Step 1 & Protection Step 2
I would strongly recommend reviewing the following guidance documentation to add an extra degree of comprehensive insight as this will help set a solid protection measure foundation against clickjacking.
- Browser Security:
Protection Step 3 – Applications & Elements
The first point of reference here comes in the shape of SAP Note: 1781171 – ClickJacking vulnerability in WebDynpro Java. In theory it is of adequate practice to set the property “ClickJacking” to “true” and “X-FRAME-OPTIONS” to be set as “SAMEORIGIN”. This will make sure that the functionality is constant on all of the WDJ server responses and calls.
- SAP Note: 2319727 – Clickjacking protection framework in SAP Netweaver AS ABAP and AS Java
However, do note that this X-FRAME-OPTIONS is not compatible with all browsers. Refer for more details.:
- You may also refer the URL for more details on the attribute that can be added to the X-FRAME-OPTIONS.:
Protection Step 4 – Iframes & Forbidden Framing References
Many of us as Portal end-users have come across and encountered the infamous message “This content cannot be displayed in a frame. To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame. What you can try: Open this content in a new window which can arise for a whole range of different issues. Sticking to the topic of clickjacking here on the Web Dynpro front in many cases the root source is actually that of the Web Browser Platform and cannot be avoided by us.
Both documentation links outlined above share additional details about the Allow-From attribute. Such issues meant the creation of the X-Frame-Options to avoid click jacking vulnerabilities in WD setups which again is complemented by SAP Note: 1781171 – ClickJacking vulnerability in WebDynpro Java.
By definition the Portal allows itself to be framed into another third-domain page. This ability is required in order to support the Interoperability mode. (Integrating SAP Portal Content into Other Portal Servers.
For more informaton on this: http://help.sap.com/saphelp_nw73/helpdata/en/24/68b6dff7be4d6a98d0d49eba920096/content.htm )
This is the reason we can’t control the X-Frame-Options header variable (which disables/limits framing options). In order to avoid clickjacking it is possible for you to use reverse proxy in order to prevent SAP NW Portal framework page being framed. You can configure the reverse proxy to use a parameter ‘X-FRAME-OPTIONS’ to disallow framing. To prevent clickjacking, a Website Owner (Google) can send a HTTP response header X-Frame Option “Deny”. Then the browser prevents the page from rendering in a frame and you get the error message “This content cannot be displayed in a frame”. Again to highlight it is a browser limitation.
One example of such reverse proxy can be apache reverse proxy. See more details on X-FRAME-OPTIONS here:
Reference Point – Fiori & Clickjacking.
The primary driver behind the utilization of the Fiori Launchpad on Portal is to provide end-users with the practical experience that Fiori itself offers. The utilization of the Fiori Launchpad on Portal shares the same approach delivered within the normal Enterprise Portal environment although the way such an experience is display is different!