Is there a way in WebFOCUS to loop through all passed Params?

I ask, because I've attempted to used "IBI_XSS_Protection" and "IBI_XSS_Mode_Block" to prevent unwanted values within our params like "%27%2Balert%28179%29%2B%27" added to our query strings and it doesn't seem to work.

My thought is to write a separate fex and include it within all outward facing fexes that checks for specific chars that should never exist like "+" or "'" and wipe the vars entirely if they do.

Anyone had to do this?

This message has been edited. Last edited by: GavinL,

I haven't done it, but my first thought was to use -? & SAVE

I threw this together, not sure why its prefixes the save with a 'as.'

Also not sure if it gets all &vars, but seems to have them all.

-? & SAVE AS passvars

FILEDEF PASSED_VARS DISK FOCCACHE/as.passvars

EX -LINES * EDAPUT MASTER,PASSED_VARS,CV,FILE
FILENAME=PASSED_VARS, SUFFIX=FIX, $
SEGNAME=PASSED_VARS, $
  FIELD=VARIABLE, ALIAS=  ,A500,A500,$
EDAPUT*

-RUN

TABLE FILE PASSED_VARS 
PRINT VARIABLE
END

quote:

-? & SAVE AS passvars

Use SAVE passvars instead to get the filename that you thought that should result.

Yes, I know, who would have thought that!

Happy New Year!


T

Well spotted, Explains it all.

Interesting concept, but wow, that would mean I have to loop through each record and parse out the Var name and the Value before validating the value doesn't have invalid characters.

Humm.. I'll have to let my brain drain on that a little bit.

I actually changed up your way a little, because it was throwing errors on -LINES for some reason.

-? & SAVE passvars

FILEDEF MASTERFILE DISK foccache/tmpfile.mas
-RUN

-WRITE MASTERFILE FILENAME=tmpfile, SUFFIX=TAB , DATASET=FOCCACHE/as.passvars, $
-WRITE MASTERFILE   SEGMENT=SEG1, SEGTYPE=S0, $
-WRITE MASTERFILE   FIELD=VARIABLE, ALIAS=  ,A5000,A5000,$
-RUN

TABLE FILE FOCCACHE/tmpfile
PRINT VARIABLE
END

Thanks,

If its run from the repository, just add -MRNOEDIT to the line.

-MRNOEDIT EX -LINES * EDAPUT MASTER,PASSED_VARS,CV,FILE

Whats happening, its that WebFOCUS sees the EX and tries to locate the fex -LINES

I ended up, just going with an included FEX, that has all possible vars, which after some research is only 6 or so possible. It validates each var and if that var has either a single quote or a less than character, it's logged and rejected.

How it's used:

-INCLUDE IBFS:/WFC/Repository/MYDom/validate_params.fex

Example, of fex code with all my real vars removed.

-* Check for either Single Quotes or Less than sign.
-* 39 = '
-* 60 = <

-DEFAULTH &MYVAR = _FOC_NULL;

-*HubExplorer
-IF &MYVAR CONTAINS HEXBYT(39, 'A1') OR &MYVAR CONTAINS HEXBYT(60, 'A1') THEN GOTO XSSDETECTED;
-GOTO CONTINUEPROCESS

-XSSDETECTED
-INCLUDE IBFS:/WFC/Repository/MYDom/TextLogVars.fex

-HTMLFORM BEGIN
<html>
<body>
	XSS Detected - User Access Denied
</body>
</html>
-HTMLFORM END
-EXIT

-CONTINUEPROCESS

Well, we found another way..

Admin Console->Configuration->Custom Settings

# Managed Internal Variables to secure against XSS Attacks
VARNAME1(alpha)
VARNAME2(alpha)
VARNAME3(alpha)

Syntax: How to Enable Validation and Control of Variables

The following <SET> command enables validation and control of WebFOCUS Client variables passed from a cookie or form:

<SET> variable (option)

where:

variable
    Is the name of the WebFOCUS Client variable.

option
    Can be one of the following:
    pass
        Specifies that the variable will be treated as a Dialogue Manager amper variable on the WebFOCUS Reporting Server. This is the default value.
    dontpass
        Specifies that the variable will not be passed to the WebFOCUS Reporting Server.
    protect
        Specifies that the variable cannot be set from the browser.
        Note: The IBIF_focexec and IBIF_ex variables should not be restricted with the protect option. Doing so would prevent WebFOCUS from executing the procedure.
    number
        Specifies that the variable can only be numeric.
    alpha
        Specifies that the variable can only have alphanumeric characters (0-9, a-z) and periods (.).
    string
        Specifies that all characters are valid.
    length=n
        Sets the maximum length of a variable in characters. The length is unlimited, by default.

This message has been edited. Last edited by: GavinL,

So we ran into an issue with one of our variables that had spaces, cause WF to reject the variable and give some weird error that would pop up for XSS attacks. Here is what we did to resolve it.

# Managed Internal Variables to secure against XSS Attacks
<SET> VARNAME1(alpha)
<SET> VARNAME1(alpha)

<IF> VARNAME1 CONTAINS "'" OR VARNAME1 CONTAINS "<"
<SET> VARNAME1(alpha)
<ELSE>
<SET> VARNAME1(string)
<ENDIF>

This allows us to still validate against XSS attacks and still allow spaces which the browser auto replaces with %20.

Hope this helps the next poor soul that has to go through this $#!+