By default, Access Manager performs extensive checks to prevent Cross-site Scripting (XSS) attacks. However, Access Manager does not validate a JSP file if you have customized it. If you modify JSP files to customize the login, logout, error pages, and so forth, you must sanitize the respective JSP file to prevent XSS attacks.
Perform either one of the following options to sanitize the customized JSP file:
Perform the following XSS checks for the customized JSP file to protect it from possible XSS attacks. For more information about XSS prevention techniques, see XSS (Cross Site Scripting) Prevention Cheat Sheet.
Perform the following steps:
Verify if the org.apache.commons.lang.StringEscapeUtils class is available in the JSP file.
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager Appliance CE 24.2 (v5.1) Administration Guide.
For example, the following import statement should be available in the import section of the JSP file:
<%@ page import="org.apache.commons.lang.StringEscapeUtils"%>
NOTE:The escapeHtml function supports all known HTML 4.0 entities but does not escape the character "'","'" as it is not a legal entity.
Refer to the example below:
Refer to the file: err_latest.jsp
Add the below import statement in the JSPs
<%@ page import="org.apache.commons.lang.StringEscapeUtils" %>
Example of using the StringEscapeUtils
strUIComponentsToHide = (String)
StringEscapeUtils.escapeHtml(request.getParameter(NIDPConstants.HTTP_REQUEST_PARAM_NAME_UICOMPONENTS_TOHIDE))
When the getAttribute and getPrameter methods are invoked on request, these strings should be passed to this String Escape Utility class by using escapeHtml method.
Handling HTML 4.0 entities while using StringEscapeUtils:
For Example "'" that the commonly used apostrophe escape character (') is not a legal entity and so is not supported.
strUIComponentsToHide = strUIComponentsToHide.replace("'","'")
See https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/StringEscapeUtils.html and https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html.
Verify if all URL query parameter values are sanitized.
The following code snippet sample shows how URL query parameter values (uname and target) can be sanitized:
<%//Fetch the values from URL query parametersString target = (String) request.getAttribute("target");String uname = (String) request.getAttribute("username"); String sanitizedUName = ""; if (uname != null){//Sanitize the value assigned to uname sanitizedUName = StringEscapeUtils.escapeHtml(uname); } String sanitizedTarget = ""; if (target != null){ //Sanitize the value assigned to target query param sanitizedTarget = StringEscapeUtils.escapeHtml(target);}%>
Add double quotes (ʺʺ) in value attribute (or any attribute that is dynamically assigned) for any HTML element that get assigned with above URL query param value.
<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="text" class="smalltext" name="Ecom_User_ID" size="30" value="<%=sanitizedUName%>">......<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="hidden" name="target" value="<%=sanitizedTarget%>">
By default, the XSS detection filter is enabled in Identity Server’s web.xml file.
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager Appliance CE 24.2 (v5.1) Administration Guide.
The filter is as follows:
<filter>
<filter-name>XSSDetectionFilter</filter-name>
<filter-class>com.novell.nidp.servlets.filters.xss.XSSDetectionFilter</filter-class>
<description>This filter is used to detect XSS attacks in NIDS</description>
<init-param>
<param-name>active</param-name>
<param-value>True</param-value>
</init-param>
<init-param>
<param-name>level</param-name>
<param-value>SCRIPT_TAGS</param-value>
</init-param>
<init-param>
<param-name>exclude</param-name>
<param-value>soap,wstrust,metadata,oauth</param-value>
</init-param>
</filter>
NOTE:You can scan JavaScript directives along with the script directive by using the param-value SCRIPT_TAGS_AND_JS_DIRECTIVES instead of SCRIPT_TAGS.
To improve the XSS Detection with Strict checking of the attacks, use the ALL_PARAMETERS value for the XSSDetectionFilter, which includes SCRIPT_TAGS_AND_JS_DIRECTIVES and SCRIPT_TAGS.
To disable it, set the <param-value> True to False as follows:
<init-param>
<param-name>active</param-name>
<param-value>False</param-value>
</init-param>
To exclude it from a specific request, add a URL string from that request in the <param-name>exclude</param-name> tag that contains the default excluded request path name.
For example: If wsfed request fails due to some reason, add wsfed in the exclude list. Now, Identity Provider will not filter wsfed specific requests.The exclude init-param is as follows:
<init-param>
<param-name>exclude</param-name>
<param-value>soap,wstrust,metadata,oauth,wsfed</param-value>
</init-param>
NOTE:It is recommended to use the above option as it overrides the following approach:
This approach might have a minor performance impact due to the checks it performs. If you perform HTML escaping in customized JSP pages, you do not need to perform this additional filtering.
Perform the followings steps to sanitize Identity Server’s customized JSP file:
The eMFrame_xss.jar library prevents XSS based attacks.
Add a filter in Identity Server’s web.xml file.
<filter><filter-name>XSS</filter-name><display-name>XSS</display-name><description>Filters XSS injections.</description> <filter-class>com.novell.emframe.fw.filter.CrossScriptingFilter</filter-class></filter> <filter-mapping><filter-name>XSS</filter-name><url-pattern>/*</url-pattern></filter-mapping>
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager Appliance CE 24.2 (v5.1) Administration Guide.
For more information to understand the Relaxed Query Characters, see Apache Tomcat 9 Configuration Reference(relaxedQueryChars).