[jira] [Updated] (AMQ-6113) Add the X-Frame-Options" header for the WebConsole

Christopher L. Shannon (JIRA) Fri, 29 Jan 2016 12:54:19 -0800

     [ 
https://issues.apache.org/jira/browse/AMQ-6113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Christopher L. Shannon updated AMQ-6113:
----------------------------------------
       Assignee: Christopher L. Shannon
    Description: The X-Frame-Options header is missing for the ActiveMQ Web 
Console and it should be added to all responses  (was: ActiveMQ is part of our 
installation.

When I run the Nessus vulnerability scanner on our server it found the 
following vulnerability on ActiveMQ  webconsole:

Web Application Potentially Vulnerable to Clickjacking


Description
The remote web server does not set an X-Frame-Options response header in all 
content responses. This could potentially expose the site to a clickjacking or 
UI Redress attack wherein an attacker can trick a user into clicking an area of 
the vulnerable page that is different than what the user perceives the page to 
be. This can result in a user performing fraudulent or malicious transactions.

X-Frame-Options has been proposed by Microsoft as a way to mitigate 
clickjacking attacks and is currently supported by all major browser vendors.

Note that while the X-Frame-Options response header is not the only mitigation 
for clickjacking, it is currently the most reliable method to detect through 
automation. Therefore, this plugin may produce false positives if other 
mitigation strategies (e.g frame-busting JavaScript) are deployed or if the 
page does not perform any security-sensitive transactions.
Solution
Return the X-Frame-Options HTTP header with the page's response.

This prevents the page's content from being rendered by another site when using 
the frame or iframe HTML tags.
See Also
http://www.nessus.org/u?1bced8d9
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
http://en.wikipedia.org/wiki/Clickjacking
Output

    The following pages do not use an X-Frame-Options response header :

      - https://10.100.10.10:8072/

)
    Component/s:     (was: security)
        Summary: Add the X-Frame-Options" header for the WebConsole  (was: 
Security issue: required to add "X-Frame-Options SAMEORIGIN" for web console)

> Add the X-Frame-Options" header for the WebConsole
> --------------------------------------------------
>
>                 Key: AMQ-6113
>                 URL: https://issues.apache.org/jira/browse/AMQ-6113
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: webconsole
>         Environment: centos 6
>            Reporter: Michael Furman
>            Assignee: Christopher L. Shannon
>
> The X-Frame-Options header is missing for the ActiveMQ Web Console and it 
> should be added to all responses



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (AMQ-6113) Add the X-Frame-Options" header for the WebConsole

Reply via email to