Enabling cross site scripting protection

Use the Cross Site Scripting Protection node of the Configuration Manager to enable or disable cross site scripting protection for your instance. When enabled, cross site scripting protection rejects any user requests that contain attributes or strings that are designated as not allowable. You can specify the disallowed attributes and strings in this node of the Configuration Manager. You can also exclude commands from cross site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross site scripting protection is disabled by default.

Warning: Cross site scripting protection is a restrictive feature in that it will restrict the execution of the commands based on the configuration. The feature does not check what attributes or strings have been defined as prohibited, so when you configure it, make sure that prohibited attributes are not those used by the commands. Also make sure the prohibited strings are not values that are usually passed to the commands. Use extreme caution when configuring this feature.

To enable this feature:

  1. To use the cross site scripting security feature for a store, you need to define the ProhibitedAttrsErrorView, ProhibitedCharacterErrorView, and ProhibCharEncodingErrorView views for the store as described in Cross site scripting protection
  2. Open the Configuration Manager.
  3. Traverse to the Cross Site Scripting Protection node for your instance as follows: WebSphere Commerce> host_name > Instance List> instance_name > Instance Properties> Cross Site Scripting Protection
  4. Use the General tab to activate the cross site scripting protection feature, as follows:
    1. Click Enable.
    2. To add attributes that you wish to disallow for WebSphere Commerce commands, right-click on the Prohibited Attributes table and select Add row. Type the attribute that you wish to disallow. You can only specify one attribute per row.
    3. To remove attributes from the Prohibited Attributes table, highlight and right-click the line containing the attribute in the table and select Delete row.
    4. To add strings that you wish to disallow for WebSphere Commerce commands, right-click on the Prohibited Characters Add the string that you wish to disallow. You can only specify one string per row.
    5. To remove characters from the Prohibited Characters table, highlight and right-click the line containing the character in the Prohibited Characters table and select Delete row.

    Note: The following strings are specified by default in the prohibited characters fields. These strings are most commonly used as scripting tags in malicious cross site scripting attacks:

    • <SCRIPT
    • &lt;SCRIPT
    • <% and &lt;%
  5. Use the Advanced tab to exclude WebSphere Commerce commands from cross site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings as follows:
    1. Select the commands from the Command List box.
    2. Type in a list of attributes, separated by commas, for which prohibited characters are allowed in the List of Excepted Attributes window and click Add.
    3. To remove a command along with its attributes, select the command from the List of Excepted Commands window and click Remove.

    You can also remove specific attributes from a command by selecting the attribute and clicking Remove.

  6. To apply your changes to Configuration Manager, click Apply.
  7. Upon successfully updating the configuration for your instance, you will receive a message indicating a successful update.
  8. From the WebSphere Application Server Administration Console, stop then restart the WebSphere Commerce Server instance.
Notes:
  1. When commands are excluded from cross site scripting protection, the values of specified attributes will be encoded using HTML encoding of symbols. For example, the command
    cmd1?user=<Thomas> 
    

    is encoded as:

    cmd1?user=&#60;Thomas&#62;
    
  2. When you specify the string in the prohibited characters fields, be aware that:
    • A certain sequence of characters can cause the string to be converted to a single character in compliance with URL encoding standards. For example, the string <%bb would be converted into a string <X where X is a single character which has a hexadecimal representation value of HEX 'bb' (decimal 187). In this case the string <%bb will not be caught by cross site scripting protection if passed in a URL.
    • A certain sequence of characters can cause the string conversion to fail if they do not comply with URL encoding standards. For example, the string <%gg would cause conversion to fail since HEX 'gg' is not a valid hexadecimal value representation. In this case, the string <%gg will cause an exception, resulting in no response to the URL request containing such a string, whether or not cross site scripting protection is enabled.

Example: Consider the following examples:

Feedback