How to prevent my jsp application from Cross Frame Scripting? - java

I am using jsp.
I have to provide security to the application from Cross Frame Scripting. I have to ensure that all pages that gather user information prior to and during authentication are not vulnerable. The pages must prevent being encapsulated within a frameset of an unauthorized site.
Need to know more how to prevent frames from becoming encapsulated.
I have already gone through the below link but couldn't find the appropriate solution.
"https://www.owasp.org/index.php/Cross_Frame_Scripting"
I'm expecting some demo project so that I can understand more about Cross Frame Scripting and how my application is safe from being encapsulated.

Use the X-Frame-Options header with value DENY, SAMEORIGIN or ALLOW-FROM uri in your HTTP response to prevent your website being loaded in a frame.
Another method is validating your url with the source url and reload the page with your url if any cross frame scripting find.
Refer below script to do it.
<script>
window.onload = function() {
if (window.location !== window.top.location) {
window.top.location = window.location;
}
}
</script>

Related

Cross origin iframe overwrites sessionid

I have a Springboot/angular component (this is an angular component that is authenticated by Spring security and loads its data from a Spring REST API) . This springboot/angular component is being loaded within an iframe of a JAVA EE application.
They are also loaded on separate contexts, localhost:8080 and localhost:7001 respectively.
Problem is, whenever the springboot/angular component is loaded and authenticated in the iframe, it overwrites the Jsessionid, such that the next HTTP request I make on the JAVA EE application, is no longer the original Jsessionid and hence results in an error.
How can I avoid the Jsessionid from being overwritten in this manner while using a cross-origin iframe?
Code in localhost:7001 (JAVA EE application) containing the iframe:
basically, what happens is I call a custom post request to my spring processLogin controller in order to authenticate the spring/angular component, and have the request display in the iframe.
<body>
<script>
function sendForm(){
var username = document.getElementById("sessionUser").value;
var password = document.getElementById("sessionPw").value;
var param = {};
param['username'] = username;
param['password'] = password;
post('http://localhost:8080/processLogin', param );
}
</script>
<iframe id=menuFrame frameborder="0" style="overflow:hidden;" src=""></iframe>
</body>
In fact you are in two separated contexts, so you have two different sessionId. In order to share your sessionId you should implement load balancing or another mechanisms that allow to share sessions at server level.

This content cannot be displayed in a frame

I am getting Error as below :
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
What you can try:
Open this content in a new window
& the content opens up in another tab. i want to load the page in the same tab as opening not instead of directing to other page.One thing I found is, urls of both the pages are quite different.
1st page - https://xxxxxxxxxxxxxxxxxxxxxx:23000/cddtweb/DDSMain.jsp
2nd page - https://xxxxxxxxxxxxxxxxxxxxxx:23000/cddtweb/DDSEntitlements.jsp
Could i get some help here to solve this issue please.
What you describe is probably caused by a security feature called X-Frame-Options implemented on the server of the frame content provider to protect from clickjacking.
As stated in the first link, this feature is supported by all major browsers. If you don't have access to the application which generated the frame content, there is nothing you can do about it (to my best knowledge).
Depending on your use-case you might be able to fetch the frame content, tweak it and then output it directly into your page without <iframe/>. This method is more described in an article by Crhis Duell (although for PHP, but you should get the point).
If you have access to the application that generates the frame content, you need to set X-Frame-Options HTTP header with a proper value (e.g. X-Frame-Options: SAMEORIGIN if the frame uses the same domain).
If you want your app accessible in iframe of some other browser then you have to set Content-Security-Policy directive as frame-ancester and parent browser URL(for whitelisting)
Example: Content-Security-Policy: frame-ancestors https://example.com
in the response header you will see content-security-policy: frame-ancestors https://example.com https://example1.com
This works for most of the browsers except IE11. For IE11 you have to set X-Content-Security-Policy: parent url.
Example: x-content-security-policy: https://example.com https://example1.com

response.sendRediect fail to work. [duplicate]

This question's answers are a community effort. Edit existing answers to improve this post. It is not currently accepting new answers or interactions.
How can I redirect the user from one page to another using jQuery or pure JavaScript?
One does not simply redirect using jQuery
jQuery is not necessary, and window.location.replace(...) will best simulate an HTTP redirect.
window.location.replace(...) is better than using window.location.href, because replace() does not keep the originating page in the session history, meaning the user won't get stuck in a never-ending back-button fiasco.
If you want to simulate someone clicking on a link, use
location.href
If you want to simulate an HTTP redirect, use location.replace
For example:
// similar behavior as an HTTP redirect
window.location.replace("http://stackoverflow.com");
// similar behavior as clicking on a link
window.location.href = "http://stackoverflow.com";
WARNING: This answer has merely been provided as a possible solution; it is obviously not the best solution, as it requires jQuery. Instead, prefer the pure JavaScript solution.
$(location).prop('href', 'http://stackoverflow.com')
Standard "vanilla" JavaScript way to redirect a page
window.location.href = 'newPage.html';
Or more simply: (since window is Global)
location.href = 'newPage.html';
If you are here because you are losing HTTP_REFERER when redirecting, keep reading:
(Otherwise ignore this last part)
The following section is for those using HTTP_REFERER as one of many security measures (although it isn't a great protective measure). If you're using Internet Explorer 8 or lower, these variables get lost when using any form of JavaScript page redirection (location.href, etc.).
Below we are going to implement an alternative for IE8 & lower so that we don't lose HTTP_REFERER. Otherwise, you can almost always simply use window.location.href.
Testing against HTTP_REFERER (URL pasting, session, etc.) can help tell whether a request is legitimate.
(Note: there are also ways to work-around / spoof these referrers, as noted by droop's link in the comments)
Simple cross-browser testing solution (fallback to window.location.href for Internet Explorer 9+ and all other browsers)
Usage: redirect('anotherpage.aspx');
function redirect (url) {
var ua = navigator.userAgent.toLowerCase(),
isIE = ua.indexOf('msie') !== -1,
version = parseInt(ua.substr(4, 2), 10);
// Internet Explorer 8 and lower
if (isIE && version < 9) {
var link = document.createElement('a');
link.href = url;
document.body.appendChild(link);
link.click();
}
// All other browsers can use the standard window.location.href (they don't lose HTTP_REFERER like Internet Explorer 8 & lower does)
else {
window.location.href = url;
}
}
There are lots of ways of doing this.
// window.location
window.location.replace('http://www.example.com')
window.location.assign('http://www.example.com')
window.location.href = 'http://www.example.com'
document.location.href = '/path'
// window.history
window.history.back()
window.history.go(-1)
// window.navigate; ONLY for old versions of Internet Explorer
window.navigate('top.jsp')
// Probably no bueno
self.location = 'http://www.example.com';
top.location = 'http://www.example.com';
// jQuery
$(location).attr('href','http://www.example.com')
$(window).attr('location','http://www.example.com')
$(location).prop('href', 'http://www.example.com')
This works for every browser:
window.location.href = 'your_url';
It would help if you were a little more descriptive in what you are trying to do. If you are trying to generate paged data, there are some options in how you do this. You can generate separate links for each page that you want to be able to get directly to.
<a href='/path-to-page?page=1' class='pager-link'>1</a>
<a href='/path-to-page?page=2' class='pager-link'>2</a>
<span class='pager-link current-page'>3</a>
...
Note that the current page in the example is handled differently in the code and with CSS.
If you want the paged data to be changed via AJAX, this is where jQuery would come in. What you would do is add a click handler to each of the anchor tags corresponding to a different page. This click handler would invoke some jQuery code that goes and fetches the next page via AJAX and updates the table with the new data. The example below assumes that you have a web service that returns the new page data.
$(document).ready( function() {
$('a.pager-link').click( function() {
var page = $(this).attr('href').split(/\?/)[1];
$.ajax({
type: 'POST',
url: '/path-to-service',
data: page,
success: function(content) {
$('#myTable').html(content); // replace
}
});
return false; // to stop link
});
});
I also think that location.replace(URL) is the best way, but if you want to notify the search engines about your redirection (they don't analyze JavaScript code to see the redirection) you should add the rel="canonical" meta tag to your website.
Adding a noscript section with a HTML refresh meta tag in it, is also a good solution. I suggest you to use this JavaScript redirection tool to create redirections. It also has Internet Explorer support to pass the HTTP referrer.
Sample code without delay looks like this:
<!-- Place this snippet right after opening the head tag to make it work properly -->
<!-- This code is licensed under GNU GPL v3 -->
<!-- You are allowed to freely copy, distribute and use this code, but removing author credit is strictly prohibited -->
<!-- Generated by http://insider.zone/tools/client-side-url-redirect-generator/ -->
<!-- REDIRECTING STARTS -->
<link rel="canonical" href="https://yourdomain.example/"/>
<noscript>
<meta http-equiv="refresh" content="0;URL=https://yourdomain.example/">
</noscript>
<!--[if lt IE 9]><script type="text/javascript">var IE_fix=true;</script><![endif]-->
<script type="text/javascript">
var url = "https://yourdomain.example/";
if(typeof IE_fix != "undefined") // IE8 and lower fix to pass the http referer
{
document.write("redirecting..."); // Don't remove this line or appendChild() will fail because it is called before document.onload to make the redirect as fast as possible. Nobody will see this text, it is only a tech fix.
var referLink = document.createElement("a");
referLink.href = url;
document.body.appendChild(referLink);
referLink.click();
}
else { window.location.replace(url); } // All other browsers
</script>
<!-- Credit goes to http://insider.zone/ -->
<!-- REDIRECTING ENDS -->
But if someone wants to redirect back to home page then he may use the following snippet.
window.location = window.location.host
It would be helpful if you have three different environments as development, staging, and production.
You can explore this window or window.location object by just putting these words in Chrome Console or Firebug's Console.
JavaScript provides you many methods to retrieve and change the current URL which is displayed in browser's address bar. All these methods uses the Location object, which is a property of the Window object. You can create a new Location object that has the current URL as follows..
var currentLocation = window.location;
Basic Structure of a URL
<protocol>//<hostname>:<port>/<pathname><search><hash>
Protocol -- Specifies the protocol name be used to access the resource on the Internet. (HTTP (without SSL) or HTTPS (with SSL))
hostname -- Host name specifies the host that owns the resource. For example, www.stackoverflow.com. A server provides services using the name of the host.
port -- A port number used to recognize a specific process to which an Internet or other network message is to be forwarded when it arrives at a server.
pathname -- The path gives info about the specific resource within the host that the Web client wants to access. For example, stackoverflow.com/index.html.
query -- A query string follows the path component, and provides a string of information that the resource can utilize for some purpose (for example, as parameters for a search or as data to be processed).
hash -- The anchor portion of a URL, includes the hash sign (#).
With these Location object properties you can access all of these URL components
hash -Sets or returns the anchor portion of a URL.
host -Sets
or returns the hostname and port of a URL.
hostname -Sets or
returns the hostname of a URL.
href -Sets or returns the entire
URL.
pathname -Sets or returns the path name of a URL.
port -Sets or returns the port number the server uses for a URL.
protocol -Sets or returns the protocol of a URL.
search -Sets
or returns the query portion of a URL
Now If you want to change a page or redirect the user to some other page you can use the href property of the Location object like this
You can use the href property of the Location object.
window.location.href = "http://www.stackoverflow.com";
Location Object also have these three methods
assign() -- Loads a new document.
reload() -- Reloads the current document.
replace() -- Replaces the current document with a new one
You can use assign() and replace methods also to redirect to other pages like these
location.assign("http://www.stackoverflow.com");
location.replace("http://www.stackoverflow.com");
How assign() and replace() differs -- The difference between replace() method and assign() method(), is that replace() removes the URL of the current document from the document history, means it is not possible to use the "back" button to navigate back to the original document. So Use the assign() method if you want to load a new document, andwant to give the option to navigate back to the original document.
You can change the location object href property using jQuery also like this
$(location).attr('href',url);
And hence you can redirect the user to some other url.
Basically jQuery is just a JavaScript framework and for doing some of the things like redirection in this case, you can just use pure JavaScript, so in that case you have 3 options using vanilla JavaScript:
1) Using location replace, this will replace the current history of the page, means that it is not possible to use the back button to go back to the original page.
window.location.replace("http://stackoverflow.com");
2) Using location assign, this will keep the history for you and with using back button, you can go back to the original page:
window.location.assign("http://stackoverflow.com");
3) I recommend using one of those previous ways, but this could be the third option using pure JavaScript:
window.location.href="http://stackoverflow.com";
You can also write a function in jQuery to handle it, but not recommended as it's only one line pure JavaScript function, also you can use all of above functions without window if you are already in the window scope, for example window.location.replace("http://stackoverflow.com"); could be location.replace("http://stackoverflow.com");
Also I show them all on the image below:
Should just be able to set using window.location.
Example:
window.location = "https://stackoverflow.com/";
Here is a past post on the subject: How do I redirect to another webpage?
Before I start, jQuery is a JavaScript library used for DOM manipulation. So you should not be using jQuery for a page redirect.
A quote from Jquery.com:
While jQuery might run without major issues in older browser versions,
we do not actively test jQuery in them and generally do not fix bugs
that may appear in them.
It was found here:
https://jquery.com/browser-support/
So jQuery is not an end-all and be-all solution for backwards compatibility.
The following solution using raw JavaScript works in all browsers and have been standard for a long time so you don't need any libraries for cross browser support.
This page will redirect to Google after 3000 milliseconds
<!DOCTYPE html>
<html>
<head>
<title>example</title>
</head>
<body>
<p>You will be redirected to google shortly.</p>
<script>
setTimeout(function(){
window.location.href="http://www.google.com"; // The URL that will be redirected too.
}, 3000); // The bigger the number the longer the delay.
</script>
</body>
</html>
Different options are as follows:
window.location.href="url"; // Simulates normal navigation to a new page
window.location.replace("url"); // Removes current URL from history and replaces it with a new URL
window.location.assign("url"); // Adds new URL to the history stack and redirects to the new URL
window.history.back(); // Simulates a back button click
window.history.go(-1); // Simulates a back button click
window.history.back(-1); // Simulates a back button click
window.navigate("page.html"); // Same as window.location="url"
When using replace, the back button will not go back to the redirect page, as if it was never in the history. If you want the user to be able to go back to the redirect page then use window.location.href or window.location.assign. If you do use an option that lets the user go back to the redirect page, remember that when you enter the redirect page it will redirect you back. So put that into consideration when picking an option for your redirect. Under conditions where the page is only redirecting when an action is done by the user then having the page in the back button history will be okay. But if the page auto redirects then you should use replace so that the user can use the back button without getting forced back to the page the redirect sends.
You can also use meta data to run a page redirect as followed.
META Refresh
<meta http-equiv="refresh" content="0;url=http://evil.example/" />
META Location
<meta http-equiv="location" content="URL=http://evil.example" />
BASE Hijacking
<base href="http://evil.example/" />
Many more methods to redirect your unsuspecting client to a page they may not wish to go can be found on this page (not one of them is reliant on jQuery):
https://code.google.com/p/html5security/wiki/RedirectionMethods
I would also like to point out, people don't like to be randomly redirected. Only redirect people when absolutely needed. If you start redirecting people randomly they will never go to your site again.
The next paragraph is hypothetical:
You also may get reported as a malicious site. If that happens then when people click on a link to your site the users browser may warn them that your site is malicious. What may also happen is search engines may start dropping your rating if people are reporting a bad experience on your site.
Please review Google Webmaster Guidelines about redirects:
https://support.google.com/webmasters/answer/2721217?hl=en&ref_topic=6001971
Here is a fun little page that kicks you out of the page.
<!DOCTYPE html>
<html>
<head>
<title>Go Away</title>
</head>
<body>
<h1>Go Away</h1>
<script>
setTimeout(function(){
window.history.back();
}, 3000);
</script>
</body>
</html>
If you combine the two page examples together you would have an infant loop of rerouting that will guarantee that your user will never want to use your site ever again.
var url = 'asdf.html';
window.location.href = url;
You can do that without jQuery as:
window.location = "http://yourdomain.com";
And if you want only jQuery then you can do it like:
$jq(window).attr("location","http://yourdomain.com");
This works with jQuery:
$(window).attr("location", "http://google.fr");
# HTML Page Redirect Using jQuery/JavaScript Method
Try this example code:
function YourJavaScriptFunction()
{
var i = $('#login').val();
if (i == 'login')
window.location = "Login.php";
else
window.location = "Logout.php";
}
If you want to give a complete URL as window.location = "www.google.co.in";.
Original question: "How to redirect using jQuery?", hence the answer implements jQuery >> Complimentary usage case.
To just redirect to a page with JavaScript:
window.location.href = "/contact/";
Or if you need a delay:
setTimeout(function () {
window.location.href = "/contact/";
}, 2000); // Time in milliseconds
jQuery allows you to select elements from a web page with ease. You can find anything you want on a page and then use jQuery to add special effects, react to user actions, or show and hide content inside or outside the element you have selected. All these tasks start with knowing how to select an element or an event.
$('a,img').on('click',function(e){
e.preventDefault();
$(this).animate({
opacity: 0 //Put some CSS animation here
}, 500);
setTimeout(function(){
// OK, finished jQuery staff, let's go redirect
window.location.href = "/contact/";
},500);
});
Imagine someone wrote a script/plugin with 10000 lines of code. With jQuery you can connect to this code with just a line or two.
So, the question is how to make a redirect page, and not how to redirect to a website?
You only need to use JavaScript for this. Here is some tiny code that will create a dynamic redirect page.
<script>
var url = window.location.search.split('url=')[1]; // Get the URL after ?url=
if( url ) window.location.replace(url);
</script>
So say you just put this snippet into a redirect/index.html file on your website you can use it like so.
http://www.mywebsite.com/redirect?url=http://stackoverflow.com
And if you go to that link it will automatically redirect you to stackoverflow.com.
Link to Documentation
And that's how you make a Simple redirect page with JavaScript
Edit:
There is also one thing to note. I have added window.location.replace in my code because I think it suits a redirect page, but, you must know that when using window.location.replace and you get redirected, when you press the back button in your browser it will not got back to the redirect page, and it will go back to the page before it, take a look at this little demo thing.
Example:
The process: store home => redirect page to google => google
When at google: google => back button in browser => store home
So, if this suits your needs then everything should be fine. If you want to include the redirect page in the browser history replace this
if( url ) window.location.replace(url);
with
if( url ) window.location.href = url;
You need to put this line in your code:
$(location).attr("href","http://stackoverflow.com");
If you don't have jQuery, go with JavaScript:
window.location.replace("http://stackoverflow.com");
window.location.href("http://stackoverflow.com");
On your click function, just add:
window.location.href = "The URL where you want to redirect";
$('#id').click(function(){
window.location.href = "http://www.google.com";
});
Try this:
location.assign("http://www.google.com");
Code snippet of example.
jQuery is not needed. You can do this:
window.open("URL","_self","","")
It is that easy!
The best way to initiate an HTTP request is with document.loacation.href.replace('URL').
Using JavaScript:
Method 1:
window.location.href="http://google.com";
Method 2:
window.location.replace("http://google.com");
Using jQuery:
Method 1: $(location)
$(location).attr('href', 'http://google.com');
Method 2: Reusable Function
jQuery.fn.redirectTo = function(url){
window.location.href = url;
}
jQuery(window).redirectTo("http://google.com");
First write properly. You want to navigate within an application for another link from your application for another link. Here is the code:
window.location.href = "http://www.google.com";
And if you want to navigate pages within your application then I also have code, if you want.
You can redirect in jQuery like this:
$(location).attr('href', 'http://yourPage.com/');
JavaScript is very extensive. If you want to jump to another page you have three options.
window.location.href='otherpage.com';
window.location.assign('otherpage.com');
//and...
window.location.replace('otherpage.com');
As you want to move to another page, you can use any from these if this is your requirement.
However all three options are limited to different situations. Chose wisely according to your requirement.
If you are interested in more knowledge about the concept, you can go through further.
window.location.href; // Returns the href (URL) of the current page
window.location.hostname; // Returns the domain name of the web host
window.location.pathname; // Returns the path and filename of the current page
window.location.protocol; // Returns the web protocol used (http: or https:)
window.location.assign; // Loads a new document
window.location.replace; // RReplace the current location with new one.
In JavaScript and jQuery we can use the following code to redirect the one page to another page:
window.location.href="http://google.com";
window.location.replace("page1.html");
ECMAScript 6 + jQuery, 85 bytes
$({jQueryCode:(url)=>location.replace(url)}).attr("jQueryCode")("http://example.com")
Please don't kill me, this is a joke. It's a joke. This is a joke.
This did "provide an answer to the question", in the sense that it asked for a solution "using jQuery" which in this case entails forcing it into the equation somehow.
Ferrybig apparently needs the joke explained (still joking, I'm sure there are limited options on the review form), so without further ado:
Other answers are using jQuery's attr() on the location or window objects unnecessarily.
This answer also abuses it, but in a more ridiculous way. Instead of using it to set the location, this uses attr() to retrieve a function that sets the location.
The function is named jQueryCode even though there's nothing jQuery about it, and calling a function somethingCode is just horrible, especially when the something is not even a language.
The "85 bytes" is a reference to Code Golf. Golfing is obviously not something you should do outside of code golf, and furthermore this answer is clearly not actually golfed.
Basically, cringe.
Javascript:
window.location.href='www.your_url.com';
window.top.location.href='www.your_url.com';
window.location.replace('www.your_url.com');
Jquery:
var url='www.your_url.com';
$(location).attr('href',url);
$(location).prop('href',url);//instead of location you can use window
Here is a time-delay redirection. You can set the delay time to whatever you want:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Your Document Title</title>
<script type="text/javascript">
function delayer(delay) {
onLoad = setTimeout('window.location.href = "http://www.google.com/"', delay);
}
</script>
</head>
<body>
<script>
delayer(8000)
</script>
<div>You will be redirected in 8 seconds!</div>
</body>
</html>

Liferay Page redirection

I have developed a theme in liferay 6.1. I have a page named "localhost:8080/home" but now i want that on clicking this link of the page, it should be redirected to localhost:8080
Any suggestions are welcomed.
Thanks in Advance.
I think you are confused a little bit, so just some things you should know:
You can't (normally and without hacks) have a page named "localhost:8080". Every Page (or 'Layout' in Liferay) has a short name, that takes it's part of the url. This is often called "friendly url" but it's often confused with the "friendly url feature", which is a way to shorten your url request data.
So you're always going to have urls like 'localhost:8080/something'. The same holds for the 'home' page
You can partially shorten the Url by using 'virtual host'. It removes the part of the url before your page's name (like removing the web/guest or user/username ) suffix
You can use the 'friendly url' feature to shorten the part of the url that goes after the page's name, and contains request information like lifecycle state info or custom request parameters

access html components in servlet

so i am using java servlets to response to a request from a jsp page. and i want to change the html components name on that jsp page, like i change the buttons value or hide a label.i am wondering if there is any way to access jsp page's HTML components like button, text, ... in a servlet ?
i want to return the response in the same page that i have got the requests from. can i just simply write button1.name = "john" or text1.value = "ross geller" ?
Short answer is "no", longer answer is:
Firstly, you have to understand that HTTP and servlets is not an event-driven GUI like a desktop client, it's a lifecycle oriented, request/response paradigm. What this means is that the client (browser) makes a request for a page. The server (servlet) then responds with the HTML for that page. Once the servlet has sent the HTML to the browser, there is nothing that can be done on the server to change it, unless the browser makes a new request.
In this very basic paradigm, the lifecycle might look something like this:
A request is made by posting a form (browser) -> request is received (servlet) -> servlet does some processing based on request parameters -> HTML is generated (either by the servlet or by forwarding to a JSP page) -> HTML is sent back to the browser -> browser renders the page from the HTML
This is a very basic example, there are many variations on this based on which framework you use but they all boil down to something along these lines.
So, in your case, you have a page with, presumably, a form on it that has a button. You want to post that form and then return the same page but with some other label on the button. In the lifecycle abovem you would extract the parameters posted on the form from the request (paramters=all fields on the form). Then, in the HTML generation, you would use those request parameter values when building the HTML. I would advice you to search the web for some tutorials on servlet technology and look at some examples you might find and this will become clearer.

Categories