Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Knowledge
QlikView: Potential ClickJacking Vulnerability
Article Number: 000008028 | Last Modified: 2018/06/12Description
Penetration test indicates that QlikView is potentially vulnerable to ClickJacking attack.
Clickjacking is also referred to as User Interface redress attack, UI redress attack or UI redressing. This is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. For more details: https://en.wikipedia.org/wiki/Clickjacking
This type of attack is prevented by adding a X-Frame-Options HTTP response header from web server. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
X-Frame-Options HTTP response header is currently not supported by QlikView Web Server. The X-Frame-Options HTTP response header can only be enabled for QlikView content by using IIS as the web server.
Please see Microsoft knowledge base (KB2694329) on Mitigating framesniffing with the X-Frame-Options header for more details on how to apply X-Frame-Options HTTP response header in IIS.
Clickjacking is also referred to as User Interface redress attack, UI redress attack or UI redressing. This is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. For more details: https://en.wikipedia.org/wiki/Clickjacking
This type of attack is prevented by adding a X-Frame-Options HTTP response header from web server. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
X-Frame-Options HTTP response header is currently not supported by QlikView Web Server. The X-Frame-Options HTTP response header can only be enabled for QlikView content by using IIS as the web server.
Please see Microsoft knowledge base (KB2694329) on Mitigating framesniffing with the X-Frame-Options header for more details on how to apply X-Frame-Options HTTP response header in IIS.
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.
Call Us