Enable cross-site scripting protection
When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default.
Attention: Cross-site scripting protection is a restrictive feature in that it will restrict the execution of commands based on its configuration. The feature does not check what attributes or strings have been defined as prohibited. Therefore, when configuring it, ensure that the prohibited attributes are not those used by the commands and that the prohibited strings are not values that are usually passed to the commands. Use extreme caution when configuring this feature.
- Open the WebSphere Commerce configuration file.
- Edit the following block
<XSiteScriptingProtection enabled="true" name="Cross Site Scripting Protection"><ProhibitedAttrs display="false"> <Attribute display="false" name="parameter1" /> <Attribute display="false" name="parameter2" /> </ProhibitedAttrs><ProhibitedChars display="false"> <Character display="false" name="<SCRIPT"/> <Character display="false" name="<%"/> <Character display="false" name="&lt;%"/> <Character display="false" name="&lt;SCRIPT"/> </ProhibitedChars><ProhibCharEncoding display="false"> <Command display="false" name="Command1"> <Attribute display="false" name="parameter3" /> </Command><Command display="false" name="Command2"> <Attribute display="false" name="parameter4" /> </Command> </ProhibCharEncoding></XSiteScriptingProtection>
If you have migrated from an earlier version of WebSphere Commerce, your XSiteScriptingProtection block might have attribute values encoded as HTML entities. As an example, the following is equivalent to the ProhibitedChars element above:
<ProhibitedChars display="false"> <Character display="&#102;&#97;&#108;&#115;&#101;" name="&#60;&#83;&#67;&#82;&#73;&#80;&#84;" /> <Character display="&#102;&#97;&#108;&#115;&#101;" name="&#60;&#37;" /> <Character display="&#102;&#97;&#108;&#115;&#101;" name="&#38;&#108;&#116;&#59;&#37;" /> <Character display="&#102;&#97;&#108;&#115;&#101;" name="&#38;&#108;&#116;&#59;&#83;&#67;&#82;&#73;&#80;&#84;" /> </ProhibitedChars>The attributes are defined as follows:
- XSiteScriptingProtection.enabled
- Specifies whether cross-site scripting protection is enabled. Possible values are true (the default) or false.
- XSiteScriptingProtection.ProhibitedAttrs.Attribute.name
- The name of command attributes (parameter) that are not allowed. The values are case-sensitive and must match exactly. Example:
<ProhibitedAttrs display="false"> <Attribute display="false" name="parameter1" /> <Attribute display="false" name="parameter2" /> </ProhibitedAttrs>This definition will block the following request because it has an attribute named parameter1:
- XYZCommand?storeId=10001¶meter1=27&catalogId=10051
The following requests will be allowed because their attribute names do not exactly match any of the restricted attributes:
- XYZCommand?storeId=10001¶meter10=27&catalogId=10051
- XYZCommand?storeId=10001&Parameter2=27&catalogId=10051
- XSiteScriptingProtection.ProhibitedChars.Character.name:
- Prohibited strings that should not appear anywhere in the request name or in the attribute values. The prohibited string is case-insensitive and will also block larger strings that contain the specified string.
The following strings are specified by default. These strings are most commonly used as scripting tags in malicious cross- site scripting attacks :
- <SCRIPT
- <SCRIPT
- <%
- <%
The following strings are not specified by default, but IBM recommends that you add them to prevent phishing attacks:
- javascript
- &#10;&#13;
- &#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;
- &#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;
Example:
<ProhibitedChars display="false"> <Character display="false" name="<SCRIPT"/> <Character display="false" name="<%"/> <Character display="false" name="&lt;%"/> <Character display="false" name="&lt;SCRIPT"/> </ProhibitedChars>This definition will block the following request:
Request Reason XYZCommand?storeId=abc<script123&storeId=101 Contains the prohibited string "<script" in one of the attribute values.
The name of a command (action path; defined in Struts configuration files) to exclude from cross site scripting protection by allowing the value of its specified parameter to contain prohibited strings. The name of the corresponding parameter is specified in the XSiteScriptingProtection.ProhibCharEncoding.Command.Attribute.name attribute. Example:
<ProhibCharEncoding display="false">
<Command display="false" name="Command1">
<Attribute display="false" name="parameter3" />
</Command>
<Command display="false" name="Command2">
<Attribute display="false" name="parameter4" />
</Command>
</ProhibCharEncoding>
This definition will allow the following request:
| Request | Reason |
|---|---|
| Command1?parameter3=<scripting | Although "<script" is normally a prohibited string, Command1 and parameter3 have been specified as an exception pair in the ProhibCharEncoding element. |
As expected, the following request will still be rejected:
| Request | Reason |
|---|---|
| Command2?parameter3=<script | Command2 and parameter3 have not been specified as an exception pair in the ProhibCharEncoding element; therefore, parameter3 is not allowed to contain the prohibited string "<script". |
WC_installdir/bin/config_ant.sh -DinstanceName=instance UpdateEAR
When a cross-site scripting violation has been detected, the request is changed to go to the ProhibCharEncodingErrorView view.