Preventing Cross Frame Scripting (XFS) via X-Frame-Options
kbt141024
PRODUCTPlease note that the configurations in this article will allow Smart forms to frame themselves and will break integration with Sharepoint.
It is recommended to use: Securing the K2 platform article
Issue
Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. When customers performed penetration tests or other similar security audits on their K2 Smartforms, they may receive reports explaining that Smartforms is vunerable to Cross-Frame Scripting.
This can be easily resolved by making sure Smartforms repond with the X-Frame-Options response header. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in <frame>, <iframe> or <objects>. By default, K2 Smartforms is not set up with X-Frame-Options header configured.
Symptoms
- Penetration tests, or other security audits will indicate that K2 Smartforms has failed the Cross-Frame Scripting test.
- It is possible to display Smartforms on another web page by embedding an iframe to load Smartforms.
Troubleshooting Steps
Please note that setting X-Frame-Options will also prevent your SmartForms forms from loading properly within your SharePoint site.
- On the web server that is hosting your Smartforms, go to [Program Files]K2K2 Smartforms Runtime, open web.config, and add the X-Frame-Options, so that it looks similar to this in the Smartforms Runtime web.config:
<system.webServer>
...
<httpProtocol>
<customHeaders>
...
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer> - Perform IISRESET to apply the settings.
- You can also configure the same for your K2 Designer. Just edit web.config from [Program Files]K2K2 Smartforms Designer, and follow the same steps above.
Alternatively, you can also do it through the IIS Manager.
