Mitigating against clickjacking in Qlik Sense and QlikView, X-FRAME Options in response header

Andre_Sostizzo · Nov 14, 2022 6:09:57 AM

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. (source)

In Qlik Sense and QlikView, using the default setup, it is possible to embed a Qlik Sense site or a QlikView App into an iframe external to the site and, potentially, capture credentials.

The main defence against this potential vulnerability is to set the X-Frame-Options Response Headers in the requests. This governs whether a browser should or should not render a page inside an iFrame.

There are a handful of values that can be configured. The support for those dependent on the web browser, so do investigate the type of X-Frame-Option that you are setting.

Qlik Sense

To mitigate against this you need to specify the X-Frame-Options. Possible values are “DENY”, “SAMEORIGIN” or “ALLOW-FROM”. See Clickjacking Defense Cheat Sheet.

Open the Qlik Sense Management Console
Navigate to the Virtual Proxy used in the implementation
Click Edit
Select Advanced in the right-hand side menu
Locate Additional response headers
Add: X-Frame-Options: SAMEORIGIN

QlikView

QlikView allows for the use of custom headers (much like Qlik Sense) natively beginning with the 12.30 release.

See QlikView WebServer: Custom HTTP Header.

You can also implement them using IIS if IIS is being used as the web server: Setting Custom HTTP Headers in IIS for QlikView.

Related Content

Qlik Sense: using " X-Frame-Options: ALLOW-FROM" limitation

How to allow Qlik Sense to be embedding in an iFrame only from specific websites

Environment

QlikView
Qlik Sense Enterprise on Windows

Luck · ‎2022-11-14

is there any of the same reference to mitigate against clickjacking in qlikview?

Sonja_Bauernfeind · ‎2022-11-14

Hello @Luck

QlikView allows for the use of custom headers (much like Qlik Sense) natively beginning with the 12.30 release.

See QlikView WebServer: Custom HTTP Header.

You can also implement them using IIS if IIS is being used as the web server: Setting Custom HTTP Headers in IIS for QlikView.

All the best,
Sonja

jchacko_rxsense · ‎2023-01-10

So, if I am understanding this correctly. This setup will add a security where I won't be able to use my Qlik website or a Qlik app in an iFrame which is external to the site.

What should be done for other way around. How to mitigate the same if I want to open a link in a iFrame in my Qlik Sense Mashup?

jchacko_rxsense · ‎2023-01-11

@Andre_Sostizzo

What should be done for other way around. Is it possible to open a link in a iFrame, in my Qlik Sense Mashup?
Currently I am getting the error

”Refused to display 'https://abc.com' in a frame because it set 'X-Frame-Options' to 'sameorigin'.”

where 'https://abc.com' is the link which I am trying to see through my qlik sense mashup using iFrame.

Sonja_Bauernfeind · ‎2023-01-11

Hello @jchacko_rxsense

In order to get you the assistance that you need, I would recommend posting about your requirements and what challenges you are facing in our Integration forum.

If you, however, require direct assistance on this, our professional services are available to assist you.

All the best,
Sonja

Mitigating against clickjacking in Qlik Sense and QlikView, X-FRAME Options in response header