|
|
|
A Cross Site Scripting (XSS) attack can occur when an application displays input text from a browser without filtering for characters that can form an executable script. The input text is typically data from a post or data from query parameters on a URL. The display of these characters in a browser can lead to an unwanted script being executed on the browser.
SOA Security Manager provides several JSPs for use with SOA Security Manager federation functionality. These JSPs check characters in a request to be sure that unsafe information in the output stream is not displayed in the browser.
When SOA Security Manager receives a federation request, the following JSPs scan the decoded values for cross-site scripting characters:
Used at the relying party for Identity Provider Discovery.
Used at the relying party for dynamic account linking.
Used at the IDP to initiate single sign-on. You can use this sample application to direct the user to the SSO Service and then to the custom web application. Typically, you use your own application.
Used at the Account Partner for WS-Federation sign out.
Used for IdP-initiated single sign-on when the user is sent directly to the web application and not initially to the SSO Service.
The pages scan the request for the following characters:
|
Character |
Description |
|---|---|
|
< |
left angle bracket |
|
> |
right angle bracket |
|
‘ |
single quotation mark |
|
“ |
double quotation mark |
|
% |
percent sign |
|
; |
semi-colon |
|
( |
open (left) parenthesis |
|
) |
closed (right) parenthesis |
|
& |
ampersand |
|
+ |
plus sign |
Each SOA Security Manager-provided JSP contains a variable that defines the characters to scan. You can modify these JSPs to expand the character set.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |