Symantec Access Management

  • Private Community

  • 1.  Login.fcc frame buster code

    Posted Aug 05, 2016 08:50 AM

    I have noticed that frame buster code did not kick in, which means not bursting the frames (allowing the applications to create iFrame on login page) for custom authentication scheme with an extension .fcc and when i used login.fcc also. I wondered am i doing something wrong or behavior of the .fcc page is wrong. Any input would be greatly appreciated.

     

    Thanks

    Venkata Kuchipudi



  • 2.  Re: Login.fcc frame buster code

    Posted Aug 05, 2016 03:50 PM

    Not sure about the one that came with the sample FCC since we use our own. But you should definitely also be adding the X-Frame-Options: DENY  (or SAMEORIGIN if necessary) header at web server too.

     

    There's some good info and examples here too you could try? - Clickjacking Defense Cheat Sheet - OWASP



  • 3.  Re: Login.fcc frame buster code
    Best Answer

    Posted Aug 07, 2016 09:05 PM

    Hi Venkata,

     

    Not sure what version of web agent you are using, but if you are using the version which supports the XFrameOptions ACO parameter, then you can set this to DENY. (doesn't need configuration at webserver) to prevent this.

     

    Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

    Ensure Agent Responses Comply with X-Frame-Options

    The X-Frame-Options HTTP header determines whether a browser loads a web page that is embedded or framed in another web page using the <frame> tag. If you use the X-Frame-Options response header in your web applications, ensure that Web Agent responses, such as the login.fcc form response, comply with the X-Frame-Options response header by setting the XFrameOptions ACO parameter. Specifying a value for this parameter sets a Web Agent response with the correct X-Frame-Options header.

    XFrameOption

    The available values for the XFrameOptions parameter are the same as the values for the X-Frame-Options response header:

    Values: DENY, SAMEORIGIN, ALLOW-FROM uri
    The X-Frame-Options is described by RFC 7024

    Default: None (the header is not set)

    Example: XFRAMEOptions = SAMEORIGIN

    However, X-Frame-Options has its own known limitation and might not be honored by all browsers.

    See more here :

    Tech Tip - CA Single Sign-On: Web Agent : X-Frame-Options Introduced

     

    Cheers,

    Ujwol Shreshta



  • 4.  Re: Login.fcc frame buster code

    Posted Aug 10, 2016 09:37 AM

    Always forget that option exists . Always just stuck it at web server since not everything is always SM protected.

     

    If I can digress a bit from the .fcc specifically.

     

    Is it possible to respond with different X-Frame-Options based on path for SM protected resources?

     

    For example, I'd want the .fcc and user interaction pages to be X-Frame-Options: DENY or SAMEORIGIN. However for /affwebservices/ I would not want the X-Frame-Options because apps like SharePoint need to actually complete a SAML exchange within a frame.



  • 5.  Re: Login.fcc frame buster code

    Posted Aug 10, 2016 09:41 AM

    It's an ACO parameter so its appliable for the agent (wide) irrespective of which resource it is protecting.