This section contains the following topics:
Protect Web Sites Against Cross-Site Scripting
Configure the Web Agent to Check For Cross Site-Scripting
Protect J2EE Applications against Cross-Site Scripting Attacks
Override the Default CSS Character Set
Safeguard Information in Cookies with HTTP-Only Attribute
Compare IP Addresses to Prevent Security Breaches
Help Prevent DNS Denial Of Service Attacks
Ensure Custom Responses Comply with X-Frame Options
A Cross Site Scripting (CSS) attack can occur when the input text from the browser (typically, data from a post or data from query parameters on a URL) is displayed by an application without being filtered for characters that may form a valid, executable script when displayed at the browser.
An attack URL can be presented to unsuspecting users. When a user clicks on the URL, an application may return a display to the browser that includes the input characters, along with an error message about bad parameters on the query string. The display of these parameters at the browser can lead to an unwanted script being executed on the browser.
For example, when a user types news into a search engine web page, the application normally might return a blank field, or a response, such as:
Your search for news returned the following:
In response to an attack URL, the browser might receive a response, such as:
news<script>BadProgram</script>
The BadCSSChars parameter does not interpret the double quotation mark (") if it is entered as an ASCII character. To include the double quotation mark as a bad cross-site scripting character, enter the hexidecimal equivalent of the ASCII character, which is %22. For example:
BadCSSChars="%22"
To instruct the Web Agent to check a URL for characters that may be part of an executable script, set the CSSChecking parameter to yes. By enabling this parameter, the Web Agent scans a full URL, including the query string, for escaped and unescaped versions of the following default character set:
You can prevent an attacker from bypassing cross-site scripting protection by using noncanonical (overlong) unicode characters in a request.
Follow these steps:
Prevents attackers from sending noncanonical (overlong) Unicode (utf-8) characters in requests and attempting to bypass cross-site scripting protection. When the value of this parameter is yes, the agent blocks requests for URLs containing noncanonical (overlong) Unicode characters.
Default: No
To override the default cross-site scripting character set, enter a character set of your choice for the BadCSSChars parameter. Include the entire string of characters that you want. For example, if you set the BadCSSChars parameter to <,>, the Web Agent scans only for the left and right angle brackets.
If the Web Agent detects a problem related to the character set, it returns an Access Denied message to the user, and the logs the following message in the Agent error log:
Caught Possible Cross Site Scripting Violation in URL. Exiting with HTTP 403 ACCESS FORBIDDEN.
Some applications require the use of the quote characters in the query string, irrespective of the web server platform. For example, some Domino applications, such as iNotes Web Access, require the use of single quotes.
To use applications that require quotes in the query string, remove quotation marks from the BadCssChars parameter.
If you leave do not use this parameter, the Web Agent checks for the default character set.
Note: For more information about cross-site scripting, go to CERT Advisory.
To help protect against cross-site scripting attacks, you can make the Web Agent set the HTTP-Only attribute for any cookies it creates using the following parameter:
Instructs the Web Agent to set the HTTP-only attribute on the cookies it creates. When a Web Agent returns a cookie with this attribute to a user's browser, the contents of the cookie cannot be read by a script, even a script from the web site which originally set the cookie. This helps prevent any sensitive information in the cookie from being sent to an unauthorized third party through a script.
Default: No
To safeguard the information in cookies, set the value of the UseHTTPOnlyCookies parameter to yes.
An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies.
The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.
The two parameters that are used to implement IP checking are PersistentIPCheck and TransientIPCheck. Set them as follows:
SiteMinder identity cookies are unaffected by IP checking.
If a web server receives HTTP requests with false IP addresses, the Web Agent tries to resolve the IP addresses to fully qualified domain names. For large volumes of HTTP requests, a denial-of-service condition could affect the Web Agent and possibly the DNS servers. The following parameter controls whether the Web Agent performs DNS lookups:
Prevents the Web Agent from performing DNS lookups.
Follow these steps:
Important! When the value of this parameter is set to yes, fully qualified domain names are required for cookie-based functions to work properly.
If you use the X-Frame-Options response header in your web applications, you can ensure that any customized responses from your agent return this header properly. The setting in the X-frame options header determines if the browser renders a page with content between a <frame> or an <iframe> tag.
You can determine whether the custom responses from your agent comply with X-frame-options with the following parameter:
Specifies whether custom responses comply with the x-frame-options response headers. Setting this parameter sets any custom responses with the correct x-frame-options header.
Default: No (responses do not comply with x-frame options response headers).
Range: Yes, No
To ensure that your custom responses comply with x-frame options, set the value of the XFrameOptions parameter to yes.
|
Copyright © 2012 CA.
All rights reserved.
|
|