Technote

(FAQ)
Run Rational AppScan against WebSphere Commerce version 6.0 starter stores
You want to know what items need to be configured to run Rational AppScan against WebSphere Commerce version 6.0 starter stores?


Answer

The following items need to be configured to further enhance site security and should be done before scanning your store with Rational AppScan. The AppScan might generate different results depending on your store customizations .

AppScan provides different sets of test policies. For PCI certification purposes, IBM recommends to use the "default" test policy to scan your store.

  1. Apply WebSphere Commerce Fix Pack 4 or later, as this introduces new features and fixes that will help to enhance site security.

  2. Configure Cross Site Scripting Protection to block additional characters

  3. Enable URL redirect filtering to allow URL redirection only to certain domains

  4. By default, WebSphere Commerce ships generic error pages which print out error stack traces. These stack traces are helpful during development for debugging. When these JSPs are deployed on an external system, the stack traces should not be displayed as it may reveal internal information.

    To elimate the stack traces, modify the following JSPs so that they do not print the error stack trace:
    <was_profiles>/installedApps/.../Stores.war/GenericSystemError.jsp
    <was_profiles>/installedApps/.../Stores.war/GenericApplicationError.jsp
    <was_profiles>/installedApps/.../Stores.war/<store_name>/GenericError.jsp

    Also modify the above pages to print out a http response error code.
    <% response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); %>

  5. Eliminate an internal URL parameter, ddkey, from testing as this parameter is not externalized and it is removed by WebSphere Commerce before any request processing begins.

    1. Launch the Scan Configuration tool.

    2. Select "Parameters and Cookies" under the "Explore" option

    3. Add a new parameter called "ddkey".

    4. Select "Test Exclude" check box to exclude this parameter from the scan.

  6. Disable HTTP tracing, to remove any vulnerability where user cookies may be logged.

  7. AppScan may give a false failure result for tests which perform a logout. Since WebSphere Commerce uses a distinct cookie name that is user specific, when a user logs out, the logged out user cookie is removed from the browser and a new one is generated. However, the test from AppScan will add the removed cookies back to the next request along with the new cookies and expect to fail. Since the request will use the new cookies and ignore the added ones, the request will pass. If the scan reports this as an error, no action needs to be taken.

Cross Reference information
Segment Product Component Platform Version Edition
Commerce WebSphere Commerce - Express Security i5/OS, Linux, Windows 6.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4
Commerce WebSphere Commerce Professional Edition Security AIX, i5/OS, Linux, Solaris, Windows 6.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4
   

Document Information

Current web document: http://www.ibm.com/support/docview.wss?uid=swg21300188