WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Prevent Cross-site Script in Websphere 7 version

    Posted Tue December 17, 2013 03:54 PM
    Hi All,

    We have and application requirement to prevent cross-stie scripting from applicaiton and I heard that, using websphere server we can have below class to set up in a web container and web container encodes the specified error messages prior to formatting them, to prevent Cross-Site Scripting (XSS) attacks on the client if the application does not sanitize these messages

    com.ibm.ws.webcontainer.setUnencodedHTMLinsendError = true

    But when I tried same set up under custom property of web container, it's not recognizing any script tags which are appended through input data.

    Can you please any one suggest. is WAS is having the feature of preventing cross-stie script ? if yes. can you please provide me the solution ?


    Thanks in advance


  • 2.  Prevent Cross-site Script in Websphere 7 version

    Posted Wed December 18, 2013 04:40 AM
    Hi seegel,

      for which version of WAS?
     
      You have different fixes for WAS that prevent some XSS vulnerabilities.  

      Fix list for IBM WebSphere Application Server V7.0
      www-01.ibm.com/support/docview.wss?uid=s...  
     
      Fix list for IBM WebSphere Application Server V8.0
      www-01.ibm.com/support/docview.wss?uid=s...
     
      Fix list for IBM WebSphere Application Server V8.5
      www-01.ibm.com/support/docview.wss?uid=s...
     
     
      Your property com.ibm.ws.webcontainer.setUnencodedHTMLinsendError in version 6.1 need FP 35 (6.1.0.35)
     
      You can use next property com.ibm.ws.security.addHttpOnlyAttributeToCookies
     
      V6.1
      pic.dhe.ibm.com/infocenter/wasinfo/v6r1/...
     
      V7
      pic.dhe.ibm.com/infocenter/wasinfo/v7r0/...
     
      V8
      pic.dhe.ibm.com/infocenter/wasinfo/v8r0/...
     
      com.ibm.ws.webcontainer.HTTPOnlyCookies
      pic.dhe.ibm.com/infocenter/wasinfo/v8r0/...
     
      V8.5
      pic.dhe.ibm.com/infocenter/wasinfo/v8r5/...
     
      Cookie settings
      pic.dhe.ibm.com/infocenter/wasinfo/v8r5/...
     
      Hope this helps.
     
    regards
     


  • 3.  Prevent Cross-site Script in Websphere 7 version

    Posted Thu December 19, 2013 12:59 AM
    Hi Gabriel,

    We are using WAS version 7.0.0.29 and I used com.ibm.ws.security.addHttpOnlyAttributeToCookies class. But still I could see cross site attacks from the Security tool


  • 4.  Prevent Cross-site Script in Websphere 7 version

    Posted Thu December 19, 2013 05:37 AM
    Hi Seegel,

      You're rigth
     
      I have found the next answer in developerworks
     
       How to handle Cross site scripting (XSS) in WebSphere Application Server 7
       www.ibm.com/developerworks/community/for...

       "I don't think you'll have much luck with that approach. Your application has to handle its own input and output with care to avoid XSS."
       
      Some usefull links
     
      Prevent cross-site scripting attacks by encoding HTML responses
      www.ibm.com/developerworks/java/library/...
     
      IBM Rational AppScan: Cross-site scripting explained
      www.ibm.com/developerworks/rational/libr...
     
      Prevent a cross-site scripting attack
      www.ibm.com/developerworks/library/wa-se...
     
      Improve web application security with jQuery Mobile
      www.ibm.com/developerworks/xml/tutorials...
     
      Hope this helps.

    regards


Related Content