By default, Access Manager does extensive checks to prevent Cross‐site Scripting (XSS) attacks. However, Access Manager does not validate a JSP file if you have customized it. If you modify JSP files to customize the login, logout, error pages, and so forth, you must sanitize the JSP file to prevent XSS attacks.
You need to perform either one of the following options to sanitize the customized JSP file:
Perform the following XSS checks for the customized JSP file to protect it from possible XSS attacks. For more information about XSS prevention techniques, see XSS (Cross Site Scripting) Prevention Cheat Sheet.
Perform the following steps:
Verify if the org.apache.commons.lang.StringEscapeUtils class is available in the JSP file.
For example, the following import statement should be available in the import section of the JSP file:
<%@ page import="org.apache.commons.lang.StringEscapeUtils"%>
Verify if all URL query parameter values are sanitized.
The following code snippet sample shows how URL query parameter values (uname and target) can be sanitized:
<%//Fetch the values from URL query parametersString target = (String) request.getAttribute("target");String uname = (String) request.getAttribute("username"); String sanitizedUName = ""; if (uname != null){//Sanitize the value assigned to uname sanitizedUName = StringEscapeUtils.escapeHtml(uname); } String sanitizedTarget = ""; if (target != null){ //Sanitize the value assigned to target query param sanitizedTarget = StringEscapeUtils.escapeHtml(target);}%>
Add double quotes (ʺʺ) in value attribute (or any attribute that is dynamically assigned) for any HTML element that get assigned with above URL query param value.
<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="text" class="smalltext" name="Ecom_User_ID" size="30" value="<%=sanitizedUName%>">......<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="hidden" name="target" value="<%=sanitizedTarget%>">
Restart the component whose JSP file you have modified. For example, if you modify the Identity Server’s JSP file, restart the Identity Server by running the following command:
Linux: sh /etc/init.d/novell-idp restart
Windows: net start Tomcat7
This approach might have a minor performance impact due to the checks it performs. If you perform HTML escaping in customized JSP pages, you do not need to perform this additional filtering.
Perform the followings steps to sanitize the Identity Server’s customized JSP file:
Download the eMFrame_xss.jar file from https://www.netiq.com/documentation/netiqaccessmanager32/resources/eMFrame_xss.jar.
This library prevents XSS based attacks.
Place this library at the following location:
Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
Windows: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\lib
Add a filter in the web.xmlfile located at the following location:
Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF.
Windows: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF
<filter><filter-name>XSS</filter-name><display-name>XSS</display-name><description>Filters XSS injections.</description> <filter-class>com.novell.emframe.fw.filter.CrossScriptingFilter</filter-class></filter> <filter-mapping><filter-name>XSS</filter-name><url-pattern>/*</url-pattern></filter-mapping>
Restart the Identity Server by running the following command:
Linux: sh /etc/init.d/novell-idp restart
Windows: net start Tomcat7