Question

How to protect OA and billing Control Panels from clickjacking attacks?

Answer

Attacks of this type require a black-hat hacker to generate an IFrame using bw_id or sudo parameters to correctly initialize the frame's contents in a victim's browser. This makes it impossible to exploit the clickjack vulnerability on OA/BA control panels as the mentioned parameters are session-based and have limited time of life.

It is possible to protect OA control panel from clickjacking by using a X-Frame-Options HTTP header to prevent framing by external sites. Note that when applied on billing application server, such configuration may lead to incorrect work of OA-BA switch in some cases and hence is not recommended.

  • OA of version 6.0 and earlier:

    1. Modify the /usr/local/pem/etc/branding/branding_htaccess.tmpl file on OA Management node by adding the following line:

      Header always set X-Frame-Options SAMEORIGIN
      
    2. Modify .branding_htaccess file for each branding server/branding webspace that deals with HTTPS connections on a specific brand by adding the following line:

      Header always set X-Frame-Options SAMEORIGIN
      

    Example of the .branding_htaccess file location:

    Brand on legacy LSH: /usr/local/pem/vhosts/100001/webspace/httpsdocs/branddomain.tld/.branding_htaccess

    Brand on LSH NG: /var/www/vhosts/2/100008/webspace/httpdocs/branddomain.tld/.branding_htaccess

  • OA of version 7 and later:

    1. Add the following line to .htaccess file for a desired brand. It is usually located at /var/www/brands/<BRAND_NAME>/ folder on UI server:

      Header always set X-Frame-Options SAMEORIGIN
      
  • Make sure that it is possible to log in to CP, switch to billing and back to the Operations panel;

In order to automate the aforementioned steps and support both OA Management node and BA application server, an internal request PFR-1624 was submitted to the development team. Contact your Technical Account Manager or Pooled Technical Associate Team at pta@odin.com to clarify the status of PFR-1624.

Internal content