12.7.2 Option 2: Filtering

By default, the XSS detection filter is enabled in Identity provider's web.xml file:

  • Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF

  • Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF

NOTE:With Access Manager 4.5 Service Pack 5, the XSS Detection Filter is configured by default with ALL_TAGS as parameter value instead of SCRIPT_TAG. The users can manually change this back to SCRIPT_TAG by editing the web.xml file if required.

The filter is as follows:

<filter>
             <filter-name>XSSDetectionFilter</filter-name>
             <filter-class>com.novell.nidp.servlets.filters.xss.XSSDetectionFilter</filter-class>
             <description>This filter is used to detect XSS attacks in NIDS</description>
             <init-param>
               <param-name>active</param-name>
                  <param-value>True</param-value>
               </init-param>
             <init-param>
                    <param-name>level</param-name>
                  <param-value>SCRIPT_TAGS</param-value>
              </init-param>
            <init-param>
                    <param-name>exclude</param-name>
                  <param-value>soap,wstrust,metadata,oauth</param-value>
              </init-param>
</filter>

To disable it, set the <param-value> True to False as follows:

<init-param>
        <param-name>active</param-name>
      <param-value>False</param-value>
</init-param>

To exclude it from a specific request, add a URL string from that request in the <param-name>exclude</param-name> tag that contains the default excluded request path name.

For example: If wsfed request fails due to some reason, add wsfed in the exclude list. Now, Identity Provider will not filter wsfed specific requests.The exclude init-param is as follows:

<init-param>
       <param-name>exclude</param-name>
   <param-value>soap,wstrust,metadata,oauth,wsfed</param-value>
  </init-param>

NOTE:It is recommended to use the above option as it overrides the following approach:

This approach might have a minor performance impact due to the checks it performs. If you perform HTML escaping in customized JSP pages, you do not need to perform this additional filtering.

Perform the followings steps to sanitize Identity Server’s customized JSP file:

  1. The eMFrame_xss.jar file is located at:

    Linux: /opt/novell/nids/lib/webapp/nidp/WEB-INF/lib

    Windows: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\lib

    This library prevents XSS based attacks.

  2. Add a filter in the web.xml file located at:

    Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF

    Windows: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF

    <filter><filter-name>XSS</filter-name><display-name>XSS</display-name><description>Filters XSS injections.</description> <filter-class>com.novell.emframe.fw.filter.CrossScriptingFilter</filter-class></filter> <filter-mapping><filter-name>XSS</filter-name><url-pattern>/*</url-pattern></filter-mapping>

  3. Restart Identity Server by running the following command:

    Linux: /etc/init.d/novell-idp restart

    Windows: net start Tomcat8