How to configure OneClick's tomcat server to protect against HSTS and Clickjacking vulnerabilities
search cancel

How to configure OneClick's tomcat server to protect against HSTS and Clickjacking vulnerabilities

book

Article ID: 139277

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

OneClick's Tomcat process is susceptible to the following vulnerabilities

X-Frame-Options –  clickjacking attack
X-XSS-Protection – cross-site scripting attack
X-Content-Type-Options – content type sniffing
HSTS –  strict transport security

 

Environment

Release: 10.3.2, 10.4, 10.4.1, 10.4.2 / Netops 20.2.x, 21.2.x

Component: SPCOCK - Spectrum OneClick

Resolution

 

To secure OneClick and protect against these attacks use the following procedure to enable Tomcat's antiClickJacking feature. This will
   add the necessary response headers to protect against these types of attacks.


STEPS TO SECURE

-------------------------------

  • Edit $SPECROOT/tomcat/conf/web.xml and $SPECROOT/webtomcat/conf/web.xml files
  • Uncommented the block below

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param> 
        <async-supported>true</async-supported>
    </filter>


** You will need to add the <init-param></init-param> block in the section above


example


  • Next Uncommented the next block

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>


example

  • Save both the web.xml files
  • Stop and restart both tomcat and webtomcat services.


Tomcat will now add the necessary response headers to prevent the aforementioned vulnerabilities. This can be verified by
  using the Web Browser's  Dev Tools (Typically: F12)

Select the 'Network' Tab
Click the '/spectrum' link (May need to refresh the web page)
Select the 'Headers' Tab

Check the response header

The following headers should have been added to the response

Strict-Transport-Security: max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block





 

Additional Information

Note:  When upgrading Spectrum in the future it is likely that the changes to the web.xml file will be lost. You will 
    need to add these changes back after the upgrade is complete.

The suggested modifications are out of the box included in Spectrum 10.4.2.1 (aka 20.2.3) level.