Prevention of vulnerability caused by cross-site scripting

Cross-site scripting is a known technique for deploying malicious scripts on browsers. Web servers that incorrectly reflect user-supplied data to the browser without properly escaping the data are vulnerable to this type of attack.

WebSEAL provides limited protection against cross-site scripting for junctioned applications through URL string filtering. Other solutions, such as the Web Content Protection feature of the appliance, can also help protect against these types of attacks.

Configuration of URL string filtering

You can configure WebSEAL to reject an incoming request if the request URL contains a defined string pattern. WebSEAL rejects incoming URL requests if they contain any of the string patterns defined in the [illegal-url-substrings] stanza. The [illegal-url-substrings] feature is deprecated. IBM might remove this feature in a subsequent release of the product.

In the WebSEAL configuration file, add a separate entry in the [illegal-url-substrings] stanza to represent each string pattern that we want WebSEAL to reject. For example:

If WebSEAL detects any configured string fragment in the requested URL, WebSEAL rejects the request and returns a 400 "Bad Request" error page.

WebSEAL, by default, filters strings that contain <script. If we require additional filtering, we must create the [illegal-url-substrings] stanza and list all substrings individually.

We can completely disable the URL string filtering feature, including the default behavior, by placing an empty [illegal-url-substrings] stanza in the WebSEAL configuration file.

Functional notes:

Parent topic: Web server security configuration

Related concepts

Related tasks