Introduction


In the modern world of computing and IT Security is perhaps one of the important aspects of assured business practices and conformance to business practices. Without necessary security measures and protection mechanisms as we know the consequences can be consequential in all walks of life and the Enterprise Portal is no different. In my experience with the Enterprise Portal I’ve dealt with many different scenarios in which customers have been performed security scans and updates in a bid to identify vulnerabilities and make correction measures were necessary. Such processes are encouraged as they help ensure Portal Environments are fined tuned when it comes to protection against harmful and malicious threats from diverse sources.

What is Clickjacking


Clickjacking is something I’ve seen noted by customers on multiple occasions as a result of running vulnerability scans. In true essence click-jacking is essentially a clever means of tricking users into performing hidden actions through disguised links and context elements.



Clickjacking.png

Clickjacking – Protection Step 1


If you have conversed with SAP you will be aware of the important of the latest Patch Level Release & Support Package implementation. Applying the latest Patch Levels & SP’s provide resolutions into easily avoidable issues and offer preventive measures against potential issues. In terms of “potential issues” this can indeed include security breaches and threats therefore the recommendation is always to ensure the latest SP’s & Patches have been applied.


Clickjacking – Protection Step 2


Now if you run security & authorization checks from a Portal perspective you may come across possible concerns across a wide range of Portal Component areas and in many cases these have to be checked independently. In this case we are going to try and lay the foundation (following Step 1) to ensure we have a solid Clickjacking protection setup in place. Here we are essentially implementing preventive measure guidelines to ensure your Portal setup and environment has the correct security settings.


A core aspect to click-jacking protection is the surrounding platform in which the Portal operates which is the Browser.



/wp-content/uploads/2016/08/browsers_1026235.jpg


From the Portal’s perspective in terms of intended utilization it is of vital importance that the Web Browser Platform being used is supported from SAP’s perspective. In order to support optimal browser performance you will need to ensure that the current Product Version being utilized (IE, Chrome, Firefox, Safari) supports your NW Version and vice versa. In relation to optimal browser performance here I am making reference to two difference aspects:

  • Rendering: how the presentation is presented to the end user in terms of EP components & elements
  • Security & Navigation: functionality setup and essentially “click-ability” and “select-ability”

The primary means of checking whether or not your present Web Browser Platform version is supported is through the SAP PAM or Product Availability Matrix. On the PAM we are given insight into which different Product Versions support Web Browser Versions and vice-versa. The PAM will also provide an informative outlined into the limitations (if any) which may exist which a potentially unsupported setup.


Although we can refer to the risk of using an supported Browser Platform as a lack of common sense in many cases we inadvertently open ourselves up to potential threats. For example if you are using standardized company software and are participating in a project perhaps you want to make use of a free software to offer an extra degree of detail to your project. This could be anything from grammatical process setups or perhaps a graphical generation software.

If you have experiencing with downloading any software program you would have encountered the launch program and .exe files on many occasions. Here we often navigate quickly through the launch tool as we only want to make use of the final product. In doing so we might accidentally install a host of third party tools such as browser plugins, and toolbar setups. In true essence you are never quit sure as to what you are downloading if not from a trusted source. Upon downloading any third party software even for temporary use inadvertently you could be installing spyware and phishing mechanism to which you are “none the wiser”.

The recommendation is to install only what is supported and seek consultation from Admins regarding any potential queries you may have regarding the intended utilization of programs or tools which may not be available as standard in an organizational setup.

Combining Protection Step 1 & Protection Step 2

I would strongly recommend reviewing the following guidance documentation to add an extra degree of comprehensive insight as this will help set a solid protection measure foundation against clickjacking.


Protection Step 3 – Applications & Elements


The first point of reference here comes in the shape of SAP Note: 1781171 – ClickJacking vulnerability in WebDynpro Java. In theory it is of adequate practice to set the property “ClickJacking” to “true” and “X-FRAME-OPTIONS” to be set as “SAMEORIGIN”. This will make sure that the functionality is constant on all of the WDJ server responses and calls.


  • SAP Note: 2319727 – Clickjacking protection framework in SAP Netweaver AS ABAP and AS Java

However, do note that this X-FRAME-OPTIONS is not compatible with all browsers. Refer for more details.:

Protection Step 4 – Iframes & Forbidden Framing References


Many of us as Portal end-users have come across and encountered the infamous message “This content cannot be displayed in a frame. To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame. What you can try: Open this content in a new window which can arise for a whole range of different issues. Sticking to the topic of clickjacking here on the Web Dynpro front in many cases the root source is actually that of the Web Browser Platform and cannot be avoided by us.


Both documentation links outlined above share additional details about the Allow-From attribute. Such issues meant the creation of the X-Frame-Options to avoid click jacking vulnerabilities in WD setups which again is complemented by SAP Note: 1781171 – ClickJacking vulnerability in WebDynpro Java.


By definition the Portal allows itself to be framed into another third-domain page. This ability is required in order to support the Interoperability mode. (Integrating SAP Portal Content into Other Portal Servers.

For more informaton on this: http://help.sap.com/saphelp_nw73/helpdata/en/24/68b6dff7be4d6a98d0d49eba920096/content.htm )

This is the reason we can’t control the X-Frame-Options header variable (which disables/limits framing options). In order to avoid clickjacking it is possible for you to use reverse proxy in order to prevent SAP NW Portal framework page being framed. You can configure the reverse proxy to use a parameter ‘X-FRAME-OPTIONS’ to disallow framing. To prevent clickjacking, a Website Owner (Google) can send a HTTP response header X-Frame Option “Deny”. Then the browser prevents the page from rendering in a frame and you get the error message “This content cannot be displayed in a frame”. Again to highlight it is a browser limitation.

One example of such reverse proxy can be apache reverse proxy. See more details on X-FRAME-OPTIONS here:

Reference Point – Fiori & Clickjacking.

The primary driver behind the utilization of the Fiori Launchpad on Portal is to provide end-users with the practical experience that Fiori itself offers. The utilization of the Fiori Launchpad on Portal shares the same approach delivered within the normal Enterprise Portal environment although the way such an experience is display is different!

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Stefan Mahnke

    Hi Troy, great post – thanks a lot!

    I have problems acessing the links to go to help.sap.com. Can you access them?

    By the way there is another interesting SAP note 2319727 on this issue.

    Ragards Stefan

    (0) 
  2. Lawrence Waterhouse

    Good job Troy, some other people and me discussed this topic:

    http://scn.sap.com/thread/3852423

    Behind all the generall stuff (common sense, PAM, update strategy and so on) the problems could occur seems to be technology specific. From the thread Im pointing to I wasnt able to perceive a conrete scenario people talking about, if they talk about steps to prevent clickjacking in their environment. This is by far not sufficient from my point of view: what is your criteria for success or validity of steps like enriching response headers? So, are you aware of concrete malware / trojan families causes harm through clickjacking in SAP applications accessible over web? What experience have you possibly done by working on appropriate OSS cases? Can you deliver some real life issues for different technologies, so for WDJ or Fiori e.g.? Thank you very much for your relentless effort

    cheers

    (0) 
    1. Troy Cronin Post author

      Hi Stefan & Lawerence

      I hope you are both keeping well & many thanks for the feedback and continual support it is greatly appreciated.

      @Stefan I’ve added the note you highlighted to the blog posting for future interested parties as this is of vital importance (many thanks for pointing this out). Please kindly let me know if you encounter issues with the sap.help pages and I will look into this internally.

      @Lawrence I agree with you 100% especially with reference to the thread discussions. When we are dealing with clickjacking scenarios obviously there are two main points of interest the first of which relates to high level “generic” protection for system setups and the second is based upon customer specific scenarios. At present there is no clean-cut method combining both although I plan to work towards creating such a methodology with these blog postings. So as we know here the “preventive” measures stem directly from SAP Note: “2169722 – Clickjacking protection framework for Enterprise Portal”.


      Now regarding your queries lets try and address these individually. Firstly with respect to Fiori and the setup. At present as we know Fiori is still relevantly new & fresh in terms of functionality and operation enhancements. In direct association to Fiori and ClickJacking there is one core highlighted issue which has been reported at present which ties back to SAP Note: 2057847. With Fiori its important when we are dealing with AI Fiori iViews to ensure the iView setup itself follows the official configuration guide:


      There was a noted issue here with the use of the iView and IE11 as a Web Browser Platform as running clicking protection with invalid relaxed boundaries could potentially block the applications from appearing correctly. In the SAP Fiori iView wthe point of interest here is the property “com.sap.portal.reserved.iview.Redirect”:


      Now regarding concrete Malware families obviously these exist in abundance and the fundamental protection guide is that of:

      Again here as you will see the best form of protection is indeed prevention. However with reference to cross-site framing issues the currently identified weaknesses are indeed reviewed here:

      Cross-Site issues are highly dependent on the NetWeaver version, as many version have patches available. (SAP Note: 1450166 describing the NW engine protection mechanism). This note has a conjoined guide attached to it. In the guide you can see how to protect standard & custom applications from XSRF attacks. Essentially this diversity among applications is where a “generic” or “general” one for all fix is removed as a possibility. However the principle of protection through prevention remains prevalent.

      From a Java respective the recommendation is to deploy the latest patch level of the SCAs described in the validity section for (SAP-JEE, SAP_JTECHS, SAP-JEECOR) .


      • This will add the XSRF Protection Framework to your system (if omitted).

      To protect applications from XSRF attacks you need to be adopted to the XSRF Protection Framework, as described in the attached guide. (Specially see Section 4 and Section 5)


      Lastly again to generalize I would like to just add a point which compliments the protection points covered in the blog itself. By the end of 2017 EP 7.0 versions will no longer be supported and this could lead to a wide range of issues especially with security protection. Therefore as you will know we are actively encouraging the upgrade to a newer higher NW Version now as opposed to waiting until the last moment. The recommendation is to upgrade to EP 7.5 which has the longest maintenance period and moreover provides you with multiple new features and security enhancements.

      As always please feel free to reach out to me directly on SCN with any queries/comments/concerns that you might have and I will actively respond (time permitting) 😆 .

      Thank you both once again for the feedback it is greatly appreciated and I will continue to deliver blog content on all things Portal related.

      Kind Regards

      Troy Cronin – Enterprise Portal Support Engineer.

      (0) 
      1. Lawrence Waterhouse

        Troy, thank you very much for your effort, I appreciate your work.

        Complex topic, Im noticing I have serious lack on knowledge regarding UI5 security and XSRF in context of frame protection, I will need to correct that first. This:

        https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

        helped me a bit. Indeed, some aspects of x-frame-options protection seems to be controversial discussed:

        https://nealpoole.com/blog/2012/03/csrf-clickjacking-and-the-role-of-x-frame-options/

        At the end: what have Doc Brown done to get some plutonium for the flux capacitor? Right, he made a deal with the lybians 🙂 So I guess it could be a good idea to do some tests in an isolated environment. I hope I can come back on this soon

        Btw, this one seems to be broken:

        http://help.sap.com/saphelp_uiaddon10/helpdata/en/91/f3b66b6f4d1014b6dd926db0e91070/content.htmframeset=/en/5e/55f15acb5…

        Thank you again,

        cheers

        (0) 
        1. Troy Cronin Post author

          Hi Lawrence

          Absolutely my pleasure and no problem at all 😎 . Regarding UI5 and ClickJacking I agree completely the topic is indeed “heavy” and can be quite complex. Also when we add the newer technologies into the mix we are all in the same boat of learning 😆 .

          The cheat sheet you provided is very very informative and a great source of reference here. I believe I will overtime make this blog posting into a series like I done with Fiori and Portal Logoff scenarios as this might be the best approach here. If I can make a series of postings that might be beneficial for all of us and help us have solid security settings with the Portal itself as the baseline an all integrated data & applications.

          If you have any inputs down the line please let me know and I will include these ! Two minds are better that one as they say 😆 .

          p.s. I have updated the broken link, let me know if there are any issues with accessing any of the documentation and I will correct these.

          https://help.sap.com/saphelp_uiaddon10/helpdata/en/91/f3b66b6f4d1014b6dd926db0e91070/content.htm

          Kind Regards & Have a Great Day

          Troy Cronin – Enterprise Portal Support Engineer

          (0) 

Leave a Reply