Question
How to protect OA and billing Control Panels from clickjacking attacks?
Answer
Attacks of this type require a black-hat hacker to generate an IFrame using bw_id
or sudo
parameters to correctly initialize the frame's contents in a victim's browser. This makes it impossible to exploit the clickjack vulnerability on OA/BA control panels as the mentioned parameters are session-based and have limited time of life.
It is possible to protect OA control panel from clickjacking by using a X-Frame-Options
HTTP header to prevent framing by external sites. Note that when applied on billing application server, such configuration may lead to incorrect work of OA-BA switch in some cases and hence is not recommended.
OA of version 6.0 and earlier:
Modify the
/usr/local/pem/etc/branding/branding_htaccess.tmpl
file on OA Management node by adding the following line:Header always set X-Frame-Options SAMEORIGIN
Modify
.branding_htaccess
file for each branding server/branding webspace that deals with HTTPS connections on a specific brand by adding the following line:Header always set X-Frame-Options SAMEORIGIN
Example of the
.branding_htaccess
file location:Brand on legacy LSH:
/usr/local/pem/vhosts/100001/webspace/httpsdocs/branddomain.tld/.branding_htaccess
Brand on LSH NG:
/var/www/vhosts/2/100008/webspace/httpdocs/branddomain.tld/.branding_htaccess
OA of version 7 and later:
Add the following line to
.htaccess
file for a desired brand. It is usually located at/var/www/brands/<BRAND_NAME>/
folder on UI server:Header always set X-Frame-Options SAMEORIGIN
- Make sure that it is possible to log in to CP, switch to billing and back to the Operations panel;
In order to automate the aforementioned steps and support both OA Management node and BA application server, an internal request PFR-1624 was submitted to the development team. Contact your Technical Account Manager or Pooled Technical Associate Team at pta@odin.com to clarify the status of PFR-1624.