September 21, 2007, 12:48 PM
.ericXSS problem with Report Preloader
So within our reports we use a report preloader, it's basically what Tony used in this thread:
https://forums.informationbuilders.com/groupee/forums/a/...1057331/m/7091069641We had a security audit done and found out we are exposed to XSS attacks. Basically entering something like "%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT/%3E" in place of a parameter in the URL.
I spoke with IBI about this and they suggest I use...
<if> HTTP_REFERER CONTAINS "<script" //=
OR HTTP_REFERER CONTAINS "%3CSCRIPT"
<HTMLFORM> &IBI_HTML_DIR/redirect.html
<EXIT>
<endif>
...in my site.wfs file which should catch this parameter in the URL and redirect it out of the report, except what happens is that the report preloader is only sent
http://[servername]/ibi_apps/WFServlet as it's URL and the alert box still pops up, only after the preloader runs does the redirect page load (it will catch the XSS attack then).
I also tried searching the QUERY_STRING instead of the HTML_REFERER but the parameter comes up blank instead of "%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT/%3E".
Has anyone run into an issue like this and can help me out? It would be greatly appreciated, thanks.
Eric
September 23, 2007, 10:43 AM
dhagenThat preloader thread was a little long - and I drank a little too much last night - to completely digest. So if I dumb this down, you would like to stop any request that hits the webfocus web application that contain a parameter value that has "<script" in it.
I would suggest looking into implementing a servlet filter that will listen for all requests to /ibi_apps. You could have the filter then iterate through the parameter values and check for the offending value. The the filter could then forward the request to a safe and simple error message via a jsp.
Thoughts?
September 25, 2007, 02:47 PM
.ericThanks for the reply, that is exactly what we were looking to do but not exactly sure how.
Any references that can help me accomplish this?
September 25, 2007, 03:21 PM
dhagenDo you know Java? If not, pm me your email. I'll try to get something to you by early next week. It is not much work (it should only be approx 20 lines of java code), but I don't have a lot of down time these days.
September 25, 2007, 03:46 PM
.ericI do but I'm not the best at it. If I could even get a reference to a website that shows something similar I can modify it to my needs. Either way...thanks.