Using a Whitelist for Clickjacking Framing Protection
You need to protect your system against clickjacking (or UI redressing) attacks. This type of attack tricks the user into triggering actions within an application by hijacking mouse clicks.
In the simplest attack scenario an invisible iFrame containing the attacked page is positioned over an attacker controlled page. The user thinks the UI is original and is unaware of the actual actions triggered on the invisible page in the frame. To protect against this attack you need to control whether to render your application within a frame and which pages are allowed.
The whitelist service is an ABAP wide service and supports HTML based frameworks to implement protections. You have to check in the UI framework whether whitelist service is used and how to switch on the protection for the individual frameworks.
For the Clickjacking solution to work properly it is required to activate a central ICF service on your back-end system. The service is requested by the application when the application finds itself being hosted by another application that is not within the same domain. The service evaluates whether the host is considered trustworthy. For certain application frameworks, like SAPUI5, the service also serves as a central provisioner of the script to be loaded for protection. The application always calls directly to the backend it originated from. If your application scenario contains mixed scenarios from different servers, each of them requires this service to be activated.
-
Go to your back-end system
-
Open transaction SICF_INST
-
Select the technical name UICS_BASIC
-
Execute
As soon as the protection is enabled, a special check is performed every time before an application is rendered. If the application is embedded into another one, the check determines whether the other application is secure. If the check fails, the embedded application is not framed. Depending on the UI framework, a blank screen is rendered or the screen is rendered, but locked for user input. An error message appears. An application is considered secure if one of the following applies:
- The application itself is not embedded in another frame
- The host of the application is part of the same domain as the embedding applications (same origin policy).
- The application supports the clickjacking defense procedure and the host of the application is part of the whitelist. For multi-domain scenarios, such as ones using federated portal network (FPN) views, you have to make sure that the host name of the application, in which your application is embedded, is part of the whitelist.
To switch on the whitelist service, you have to add at least one entry into table HTTP_WHITELIST with ENTRY_TYPE=30 and to activate the ICF node /sap/public/bc/uics/whitelist. All frameworks which belong to this service and where the protection is switched on, are using the same entries inside the table.
You can access the whitelist using the transaction /SE16. Also check the security guides of the UI frameworks for instructions on how to use this whitelist for your framework. Table HTTP_WHITELIST: PROTOCOL, HOST and PORT specify the origin of pages that are allowed to frame applications served from this system. The attribute URL is not used.
| Field | Value |
|---|---|
| ENTRY_TYPE | The value 30 activates the clickjacking framing protection. |
| SORT_KEY | Defines the sequence of table entries to be checked. The protection mechanism checks all entries in ascending sequence with respect to field SORT_KEY until it finds a valid match. If no entry will match, the application remains in a protected mode and will either not be rendered at all or will at least not accept any input. In this case clickjacking framing attacks are not possible. |
| PROTOCOL | https, http or “*” for both |
| HOST | Domain or explicit host name to be granted. Wildcard “*” to allow groups of hosts. (Example: *.1.example.com) |
| PORT | Only numbers can be used. “*” is not possible. Leave field empty to allow all ports. |
| URL | Must be filled with ‘*’. Other values will result in an error, and your application will not be displayed. |
Here are some examples:
| ENTRY_TYPE | SORT_KEY | PROTOCOL | HOST | PORT | URL |
|---|---|---|---|---|---|
With no entry for ENTRY_TYPE = 30 the whitelist service is inactive.
| ENTRY_TYPE | SORT_KEY | PROTOCOL | HOST | PORT | URL |
|---|---|---|---|---|---|
|
30 |
0001 |
* |
With ENTRY_TYPE = 30 the whitelist service is active. All framing origins are allowed with the same domain (same origin policy). All other parents origins are forbidden.
| ENTRY_TYPE | SORT_KEY | PROTOCOL | HOST | PORT | URL |
|---|---|---|---|---|---|
|
30 |
0001 |
* |
*.1.example.com |
* |
With ENTRY_TYPE = 30 the whitelist service is active. All framing origins are allowed with the same domain (same origin policy). All other parents with host name matching the pattern *.1.example.com are allowed as well. All other parent origins are forbidden.
| ENTRY_TYPE | SORT_KEY | PROTOCOL | HOST | PORT | URL |
|---|---|---|---|---|---|
|
30 |
0001 |
* |
*.1.example.com |
* |
|
|
30 |
0002 |
https |
host.2.example.com |
* |
With ENTRY_TYPE = 30 the whitelist service is active. All framing origins are allowed with the same domain (same origin policy). All other parents with host name matching the pattern *.1.example.com are allowed as well. In addition, parent https://host.2.example.com is allowed as well. All other parent origins are forbidden.
To switch on clickjacking protection, but to disallow framing for all origins, enter a record entry with ENTRY_TYPE=30 and URL="*".
Before activating the clickjacking protection, ensure that the current system is provided with the latest updates and that all systems defined in HTTP_WHITELIST support the embedding protection and are activated. In case the protection for an embedded application is activated, but the host of the application does not support the protection or it was not activated, the embedded application cannot be rendered. This leads to the error behavior described above.