February, 2017

Protecting your Domino servers from the clickjacking hack

There is a hack called clickjacking that can happen on web servers, including Domino.  Here are the details on how clickjacking can impact web sites.

An attacker performs a clickjacking attack by creating a site on the Internet, which contains inline frames (iframes) that can display content from the application.  The attacker sets the malicious iframes as invisible and places them on top of a commonly clicked link or icon found on the webpage.  Using JavaScript-based functions and other techniques, the attacker can force the authenticated user to click on and unknowingly execute target application functions. This exploit could control user’s actions without their knowledge and could potentially enable an attacker to expose confidential information or impersonate users.

For example let’s say users connect to the mail server via the URL https://mail.companyxyz.com.
This site can be included on a webpage with an iframe containing the following  <iframe src=”https://mail.companyxyz.com/” width=”500″ height=”500″></iframe>

The way you mediate this hack depends on the release level of the Domino server.

For any servers running 9.0.1 FP6 or higher, the following notes.ini variable can be set.  It just requires an end and restart of HTTP for this change to take effect.

HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN

For servers running earlier versions of Domino, those servers can be switched to use Internet Sites documents and then a Web Site Rule can be created that specifies a custom header with the x-frame-options header set to SAMEORIGIN.

If you haven’t enabled your server to use Internet Sites, edit the server document and specify “Enabled” for field ‘Load Internet configurations from Server\Internet Sites documents’.

Next create a Web Internet Site document, specifying the values appropriate for your site.  In the Web Site document, click Web Site -> Create Rule, select “HTTP response headers” for the ‘Type of rule’.  Under ‘Custom headers’, enter “X-Frame-Options” for the Name and “SAMEORIGIN” for Value and place a checkmark next to “Override“.

Whether you have enabled the notes.ini variable on a 9.0.1 FP6 or higher server or enabled the capability through a Web Site Rule in an Internet Site document, end and restart the HTTP task for prevention of clickjacking on your Domino server to be enabled.

Here is a technote for reference: http://www-01.ibm.com/support/docview.wss?uid=swg21568598