Cross site framing vulnerability in java

What is Cross Site Framing:
Cross site framing means application page of one website is completely rendered with in iframe of another website. This creates a feel  like we are in the site where the actual page is but actually we are working in third party website now. Still not clear? let see the example below.

Let us say for example site www.onlyjavaexceptions.com has framing vulnerability. So the hacker created iframe and included some of the main urls in onlyjavaexceptions site as like above. Using CSS tricks they create a iframes such a way that u feel like your in original site only.

What is the Benefit:
As soon as we landed in hackers site they have full control of the parent page. Since original site is included as iframe parent window control is with hacker. So the hackers can get your critical and confidential information's by observing the keystrokes with in child iframe. Due to this Cross Site Framing are one of the biggest threads for the website .Now lets how to avoid this in java.We need to add some response headers in the response and this response header needs to be added all the pages where ever sensitive information is shared. If you feel entire site needs to protected then add in the filter because filter is the entry point for any request. We need to add header called X-FRAME-OPTIONS in the response.Since we wanted to protect entire site lets add it in the Filter

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class CommonFilter implements Filter {
 private FilterConfig config;

 public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException,
   ServletException {
      ((HttpServletResponse) resp).setHeader("X-FRAME-OPTIONS", "DENY");
   chain.doFilter(req, resp);


 public void init(FilterConfig config) throws ServletException {
  this.config = config;

 public void destroy() {
  config = null;


In X-Frame-Options if we give "DENY" then any iframes will not work even if the iframe from same domain. If you want same domain iframe needs to work we may use SAMEORIGIN option. Also following entry needs to be added in the web.xml


After above settings if we access the content of the site in frame only blank page will be displayed. Same task can be achieved in client site by using frame bursting java script code.This java script makes sure that frame content will not be loaded properly


Post a Comment

Powered by Blogger.