12.6.2 Option 2: Filtering

By default, the XSS detection filter is enabled in Identity Server’s web.xml file.

For information about how to open and modify a file, see Modifying Configurations.

The filter is as follows:

<filter>
             <filter-name>XSSDetectionFilter</filter-name>
             <filter-class>com.novell.nidp.servlets.filters.xss.XSSDetectionFilter</filter-class>
             <description>This filter is used to detect XSS attacks in NIDS</description>
             <init-param>
               <param-name>active</param-name>
                  <param-value>True</param-value>
               </init-param>
             <init-param>
                    <param-name>level</param-name>
                  <param-value>SCRIPT_TAGS</param-value>
              </init-param>
            <init-param>
                    <param-name>exclude</param-name>
                  <param-value>soap,wstrust,metadata,oauth</param-value>
              </init-param>
</filter>

NOTE:In Access Manager 5.0 Service Pack 2 and later, you can scan JavaScript directives along with the script directive by using the param-value SCRIPT_TAGS_AND_JS_DIRECTIVES instead of SCRIPT_TAGS.

To improve the XSS Detection with Strict checking of the attacks, use the ALL_PARAMETERS value for the XSSDetectionFilter.

To disable it, set the <param-value> True to False as follows:

<init-param>
        <param-name>active</param-name>
      <param-value>False</param-value>
</init-param>

To exclude it from a specific request, add a URL string from that request in the <param-name>exclude</param-name> tag that contains the default excluded request path name.

For example: If wsfed request fails due to some reason, add wsfed in the exclude list. Now, Identity Provider will not filter wsfed specific requests.The exclude init-param is as follows:

<init-param>
       <param-name>exclude</param-name>
   <param-value>soap,wstrust,metadata,oauth,wsfed</param-value>
  </init-param>

NOTE:It is recommended to use the above option as it overrides the following approach:

This approach might have a minor performance impact due to the checks it performs. If you perform HTML escaping in customized JSP pages, you do not need to perform this additional filtering.

Perform the followings steps to sanitize Identity Server’s customized JSP file:

  1. The eMFrame_xss.jar library prevents XSS based attacks.

  2. Add a filter in Identity Server’s web.xml file.

    <filter><filter-name>XSS</filter-name><display-name>XSS</display-name><description>Filters XSS injections.</description> <filter-class>com.novell.emframe.fw.filter.CrossScriptingFilter</filter-class></filter> <filter-mapping><filter-name>XSS</filter-name><url-pattern>/*</url-pattern></filter-mapping>

    For information about how to open and modify a configuration file, see Section 4.2.4, Modifying Configurations.