Note: To use the cross site scripting protection security feature for a store, you need to define the ProhibitedAttrsErrorView, ProhibitedCharacterErrorView, and ProhibCharEncodingErrorView views for the store.
The Cross Site Scripting Protection node of the Configuration Manager enables or disables cross site scripting protection for your instance. When enabled, this feature rejects any user requests that contain attributes or strings that are designated as not allowable. You can specify the disallowed attributes and strings in this node of the Configuration Manager. You can also exclude commands from cross site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross site scripting protection is disabled by default.
Warning: Cross site scripting protection is a restrictive feature in that it will restrict the execution of the commands based on the configuration. The feature does not check what attributes or strings have been defined as prohibited, so when you configure it, make sure that prohibited attributes are not those used by the commands. Also make sure the prohibited strings are not values that are usually passed to the commands. Use extreme caution when configuring this feature.
- General tab
- Use the General tab to activate the cross site scripting protection feature by clicking Enable. Configure the feature by completing the following tables:
- Prohibited Attributes table
- Lists attributes that you wish to disallow for WebSphere Commerce commands. To add attributes that you wish to disallow for WebSphere Commerce commands, right-click on the Prohibited Attributes table and select Add row. Type the attribute that you wish to disallow. You can only specify one attribute per row. To remove attributes from the Prohibited Attributes table, highlight and right-click the line containing the attribute in the table and select Delete row.
- Prohibited Characters table
- Lists character strings that you wish to disallow for WebSphere Commerce commands. To add strings that you wish to disallow for WebSphere Commerce commands, right-click on the Prohibited Characters table and select Add row. Add the string that you wish to disallow. You can only specify one string per row. To remove characters from the Prohibited Characters table, highlight and right-click the line containing the character in the Prohibited Characters table and select Delete row.
Note: The following strings are specified by default in the prohibited characters fields. These strings are most commonly used as scripting tags in malicious cross site scripting attacks:
- "<SCRIPT"
- "<SCRIPT"
- "<%" and "<%"
- Advanced tab
- Use the Advanced tab to exclude WebSphere Commerce commands from cross site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings.
- Command List
- Lists the WebSphere Commerce commands. Select the commands to exclude from
this list. Type in a list of attributes, separated by commas, for which
prohibited characters are allowed in the List of Excepted Attributes window and
click Add. To remove a command along with its attributes, select the
command from the List of Excepted Commands window and click Remove. You
can also remove specific attributes from a command by selecting the attribute
and clicking Remove.
To apply your changes to Configuration Manager, click Apply. Upon successfully updating the configuration for your instance, you will receive a message indicating a successful update. From the WebSphere Application Server Administration Console, stop then restart the WebSphere Commerce Server instance.
Notes:
- When commands are excluded from cross site scripting protection, the values of specified attributes will be encoded using HTML encoding of symbols. For example, the command "cmd1?user=<Thomas>" is encoded as "cmd1?user=<Thomas>"
- When you specify the string in the prohibited characters fields, be aware
that:
- A certain sequence of characters can cause the string to be converted to a single character in compliance with URL encoding standards. For example, the string "<%bb" would be converted into a string "<X" where X is a single character which has a hexadecimal representation value of HEX 'bb' (decimal 187). In this case the string "<%bb" will not be caught by cross site scripting protection if passed in a URL.
- A certain sequence of characters can cause the string conversion to fail if they do not comply with URL encoding standards. For example, the string "<%gg" would cause conversion to fail since HEX 'gg' is not a valid hexadecimal value representation. In this case the string "<%gg" will cause an exception, resulting in no response to the URL request containing such a string whether or not cross site scripting protection is enabled.
Example: Consider the following examples:
- Prohibited strings: "<SCRIPT", "<%"
Prohibited attributes: mycomment, description
Command Status cmd1?description=Available ... rejected cmd2?userid=Thomas... accepted cmd3?mycomment=<SCRIPT>... rejected cmd4?password=<%...%>... rejected - If you wish to allow the attribute "text" of the cmd1 command to
contain prohibited strings ("<SCRIPT", "<%"), and
not for other attributes, for example, the attribute "txt", you can
exclude cmd1 and specify "text" as the excepted attribute.
Command Status cmd1?text=<SCRIPT>... accepted cmd1?text=<%...%>... accepted cmd1?txt=<SCRIPT>... rejected cmd1?txt=<%..%>... rejected
For more information, see the section on authentication in the WebSphere Commerce Security Guide.