Thursday, January 14, 2016

Enhancing security in IBm WCS

Enhancing security in IBm WCS
1.       Protecting against Cross-site Scripting (XSS) Attacks
What a Cross Site Scripting vulnerability?
Cross-site Scripting allows an attacker to alter the behavior of your site in many ways, such as inserting HTML, running JavaScript or displaying images.
How it occur :
Lets take below line of code :
<li class=”current”>${searchTerm}</li>
 
http://<servername>/webapp/wcs/stores/servlet/SearchDisplay?categoryId=&storeId=10001&catalogId=10001&langId=-1&sType=SimpleSearch&resultCatEntryType=2&showResultsPage=true&searchSource=Q&pageView=&beginIndex=0&pageSize=12&searchTerm=boys+shirts
 
If someone were to modify this to something malicious, similar to the following:
http://<servername>/webapp/wcs/stores/servlet/SearchDisplay?categoryId=&storeId=10001&catalogId=10001&langId=-1&sType=SimpleSearch&resultCatEntryType=2&showResultsPage=true&searchSource=Q&pageView=&beginIndex=0&pageSize=12&searchTerm=%3C/div%3E%3Cimg%20src=http://%3Cservername%3E/%3Csomeimage%3E.jpg%3E%3Cdiv%3E
It will produce unwanted result.
To control it :
<li class=”current”><wcf:out value=”${searchTerm}”/></li>
This code By converting to HTML Entities, the browser will display the text as entered instead of running it as though it was a script (HTML, JavaScript, ect.).
Using the above example, the input was encoded into HTML entities similar to the following:
</div><img src=http://<servername>/<someimage>.jpg><div>
Although the XSiteScriptingProtection is enabled in wc-server.xml for the Store by default, it didn't stop this particular case. The OOTB prohibitedChar rules are defined to stop script tags.  Adding all possible HTML tags could impact both performance and store functionality.
 
Refer : Protectingagainst Cross-site Scripting (XSS) Attacks
2.       Enabling WhiteList data validation
When enabled, WhiteList data validation ensures that when a URL command or view is run, the parameter values conform to a specified regular expression. For example, you can configure it so that the storeId must be an integer. When a WhiteList violation is detected, the request is changed to the ProhibCharEncodingErrorView view. WhiteList data validation is disabled by default.
 
Procedure
1.       Open the WebSphere Commerce configuration file.
2.       Search for the following element outside of the <Module> element:
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
3.       Insert the following sample WhiteList configuration before the preceding element, and modify it to suit your business needs:
<WhiteListProtection enabled="true" name="WhiteListProtection" display="false">
   <param name="storeId" regex="[-]?[0-9]*"/>
   <param name="langId" regex="[-]?[0-9]*"/>
   <param name="catalogId" regex="[-]?[0-9]*"/>
   <param name="categoryId" regex="[-]?[0-9]*"/>
   <param name="productId" regex="[-]?[0-9]*"/>
   <param name="parent_category_rn" regex="[-]?[0-9]*"/>
   <param name="physicalStoreId" regex="[-]?[0-9]*"/>
   <param name="geoNodeId" regex="[-]?[0-9]*"/> 
</WhiteListProtection>
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
Where:
WhiteListProtection.enabled
Global flag to enable or disable WhiteList data validation. Valid values are true or false.
WhiteListProtection.param.name
The name of the parameter to be validated.
WhiteListProtection.param.regex
The regular expression that defines the allowed values. The regular expression syntax is based on the standard that is used by Java.
For the regular expression syntax, see the Sun Class Pattern Java API documentation.
WhiteListProtection.param.maxLength
The maximum number of characters allowed.
4.       In each web module that requires WhiteList data validation, search for the corresponding Module element. For example, the Stores web module element:
<Module contextPath="/webapp/wcs/stores" fileServletEnabled="false" name="Stores"
   urlMappingPath="/servlet" webAlias="/wcsstore">
   <InitParameters adapters="XML/HTTP, BrowserAdapter" contextSetName="Store" handleDoubleClick="true"/>
   <URLRedirectFilter enable="true"/>
</Module>
5.       Insert a WhiteListProtection element to enable this feature for that web module:
<WhiteListProtection enable="true"/>
For instance, to enable WhiteList data validation in the Stores web module, the WhiteListProtection element is added in the following snippet in bold:
 
<Module contextPath="/webapp/wcs/stores" fileServletEnabled="false" name="Stores"
   urlMappingPath="/servlet" webAlias="/wcsstore">
   <InitParameters adapters="XML/HTTP, BrowserAdapter" contextSetName="Store" handleDoubleClick="true"/>
   <URLRedirectFilter enable="true"/>
   <WhiteListProtection enable="true"/>
</Module>
Note: If the WhiteListProtection element is not specified for a web module, the default WhiteListProtection value is false (WhiteList data validation disabled).
6.       Start your WebSphere Commerce instance if it is not already started.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)