Focal Point Banner
Community Center Education Summit Technical Support User Groups
Let's Get Social!

Facebook Twitter LinkedIn YouTube
Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] Looping through all passed Params
Go
New
Search
Notify
Tools
Reply
  
[SOLVED] Looping through all passed Params
 Login/Join
 
Master
posted
Is there a way in WebFOCUS to loop through all passed Params?

I ask, because I've attempted to used "IBI_XSS_Protection" and "IBI_XSS_Mode_Block" to prevent unwanted values within our params like "%27%2Balert%28179%29%2B%27" added to our query strings and it doesn't seem to work.

My thought is to write a separate fex and include it within all outward facing fexes that checks for specific chars that should never exist like "+" or "'" and wipe the vars entirely if they do.

Anyone had to do this?

This message has been edited. Last edited by: GavinL,



- FOCUS Man, just FOCUS!
-----------------------------
Product: WebFOCUS
Version: 8.1.04
Server: Windows 2008 Server
 
Posts: 578 | Registered: October 01, 2014Reply With QuoteReport This Post
Expert
posted Hide Post
I haven't done it, but my first thought was to use -? & SAVE

I threw this together, not sure why its prefixes the save with a 'as.'

Also not sure if it gets all &vars, but seems to have them all.


-? & SAVE AS passvars

FILEDEF PASSED_VARS DISK FOCCACHE/as.passvars

EX -LINES * EDAPUT MASTER,PASSED_VARS,CV,FILE
FILENAME=PASSED_VARS, SUFFIX=FIX, $
SEGNAME=PASSED_VARS, $
  FIELD=VARIABLE, ALIAS=  ,A500,A500,$
EDAPUT*

-RUN

TABLE FILE PASSED_VARS 
PRINT VARIABLE
END


Waz...

Prod:WebFOCUS 7.6.10/8.1.04Upgrade:WebFOCUS 8.2.06OS:LinuxOutputs:HTML, PDF, Excel, PPT
In Focus since 1984
Know The Code

 
Posts: 6207 | Location: 33.8688° S, 151.2093° E | Registered: October 31, 2006Reply With QuoteReport This Post
Expert
posted Hide Post
quote:
-? & SAVE AS passvars

Use SAVE passvars instead to get the filename that you thought that should result.

Yes, I know, who would have thought that!

Happy New Year! Smiler


T



In FOCUS
since 1986
WebFOCUS Server 8.2.01M, thru 8.2.06 on Windows Svr 2008 R2  
WebFOCUS App Studio 8.2.06 standalone on Windows 10 
 
Posts: 5637 | Location: United Kingdom | Registered: April 08, 2004Reply With QuoteReport This Post
Expert
posted Hide Post
Well spotted, Explains it all.

Confused


Waz...

Prod:WebFOCUS 7.6.10/8.1.04Upgrade:WebFOCUS 8.2.06OS:LinuxOutputs:HTML, PDF, Excel, PPT
In Focus since 1984
Know The Code

 
Posts: 6207 | Location: 33.8688° S, 151.2093° E | Registered: October 31, 2006Reply With QuoteReport This Post
Master
posted Hide Post
Interesting concept, but wow, that would mean I have to loop through each record and parse out the Var name and the Value before validating the value doesn't have invalid characters.

Humm.. I'll have to let my brain drain on that a little bit.

I actually changed up your way a little, because it was throwing errors on -LINES for some reason.

-? & SAVE passvars

FILEDEF MASTERFILE DISK foccache/tmpfile.mas
-RUN

-WRITE MASTERFILE FILENAME=tmpfile, SUFFIX=TAB , DATASET=FOCCACHE/as.passvars, $
-WRITE MASTERFILE   SEGMENT=SEG1, SEGTYPE=S0, $
-WRITE MASTERFILE   FIELD=VARIABLE, ALIAS=  ,A5000,A5000,$
-RUN

TABLE FILE FOCCACHE/tmpfile
PRINT VARIABLE
END

Thanks,



- FOCUS Man, just FOCUS!
-----------------------------
Product: WebFOCUS
Version: 8.1.04
Server: Windows 2008 Server
 
Posts: 578 | Registered: October 01, 2014Reply With QuoteReport This Post
Expert
posted Hide Post
If its run from the repository, just add -MRNOEDIT to the line.

-MRNOEDIT EX -LINES * EDAPUT MASTER,PASSED_VARS,CV,FILE

Whats happening, its that WebFOCUS sees the EX and tries to locate the fex -LINES


Waz...

Prod:WebFOCUS 7.6.10/8.1.04Upgrade:WebFOCUS 8.2.06OS:LinuxOutputs:HTML, PDF, Excel, PPT
In Focus since 1984
Know The Code

 
Posts: 6207 | Location: 33.8688° S, 151.2093° E | Registered: October 31, 2006Reply With QuoteReport This Post
Master
posted Hide Post
I ended up, just going with an included FEX, that has all possible vars, which after some research is only 6 or so possible. It validates each var and if that var has either a single quote or a less than character, it's logged and rejected.

How it's used:
-INCLUDE IBFS:/WFC/Repository/MYDom/validate_params.fex


Example, of fex code with all my real vars removed.
-* Check for either Single Quotes or Less than sign.
-* 39 = '
-* 60 = <

-DEFAULTH &MYVAR = _FOC_NULL;

-*HubExplorer
-IF &MYVAR CONTAINS HEXBYT(39, 'A1') OR &MYVAR CONTAINS HEXBYT(60, 'A1') THEN GOTO XSSDETECTED;
-GOTO CONTINUEPROCESS

-XSSDETECTED
-INCLUDE IBFS:/WFC/Repository/MYDom/TextLogVars.fex

-HTMLFORM BEGIN
<html>
<body>
	XSS Detected - User Access Denied
</body>
</html>
-HTMLFORM END
-EXIT

-CONTINUEPROCESS



- FOCUS Man, just FOCUS!
-----------------------------
Product: WebFOCUS
Version: 8.1.04
Server: Windows 2008 Server
 
Posts: 578 | Registered: October 01, 2014Reply With QuoteReport This Post
Master
posted Hide Post
Well, we found another way..

Admin Console->Configuration->Custom Settings

# Managed Internal Variables to secure against XSS Attacks
VARNAME1(alpha)
VARNAME2(alpha)
VARNAME3(alpha)

Syntax: How to Enable Validation and Control of Variables

The following <SET> command enables validation and control of WebFOCUS Client variables passed from a cookie or form:

<SET> variable (option)

where:

variable
    Is the name of the WebFOCUS Client variable.

option
    Can be one of the following:
    pass
        Specifies that the variable will be treated as a Dialogue Manager amper variable on the WebFOCUS Reporting Server. This is the default value.
    dontpass
        Specifies that the variable will not be passed to the WebFOCUS Reporting Server.
    protect
        Specifies that the variable cannot be set from the browser.
        Note: The IBIF_focexec and IBIF_ex variables should not be restricted with the protect option. Doing so would prevent WebFOCUS from executing the procedure.
    number
        Specifies that the variable can only be numeric.
    alpha
        Specifies that the variable can only have alphanumeric characters (0-9, a-z) and periods (.).
    string
        Specifies that all characters are valid.
    length=n
        Sets the maximum length of a variable in characters. The length is unlimited, by default.

This message has been edited. Last edited by: GavinL,



- FOCUS Man, just FOCUS!
-----------------------------
Product: WebFOCUS
Version: 8.1.04
Server: Windows 2008 Server
 
Posts: 578 | Registered: October 01, 2014Reply With QuoteReport This Post
Master
posted Hide Post
So we ran into an issue with one of our variables that had spaces, cause WF to reject the variable and give some weird error that would pop up for XSS attacks. Here is what we did to resolve it.

# Managed Internal Variables to secure against XSS Attacks
<SET> VARNAME1(alpha)
<SET> VARNAME1(alpha)

<IF> VARNAME1 CONTAINS "'" OR VARNAME1 CONTAINS "<"
<SET> VARNAME1(alpha)
<ELSE>
<SET> VARNAME1(string)
<ENDIF>


This allows us to still validate against XSS attacks and still allow spaces which the browser auto replaces with %20.

Hope this helps the next poor soul that has to go through this $#!+



- FOCUS Man, just FOCUS!
-----------------------------
Product: WebFOCUS
Version: 8.1.04
Server: Windows 2008 Server
 
Posts: 578 | Registered: October 01, 2014Reply With QuoteReport This Post
Expert
posted Hide Post
Good One


Waz...

Prod:WebFOCUS 7.6.10/8.1.04Upgrade:WebFOCUS 8.2.06OS:LinuxOutputs:HTML, PDF, Excel, PPT
In Focus since 1984
Know The Code

 
Posts: 6207 | Location: 33.8688° S, 151.2093° E | Registered: October 31, 2006Reply With QuoteReport This Post
  Powered by Social Strata  
 

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] Looping through all passed Params

Copyright © 1996-2018 Information Builders, leaders in enterprise business intelligence.