Focal Point
XSS problem with Report Preloader

This topic can be found at:
https://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/2651069742

September 21, 2007, 12:48 PM
.eric
XSS problem with Report Preloader
So within our reports we use a report preloader, it's basically what Tony used in this thread:

https://forums.informationbuilders.com/groupee/forums/a/...1057331/m/7091069641

We had a security audit done and found out we are exposed to XSS attacks. Basically entering something like "%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT/%3E" in place of a parameter in the URL.

I spoke with IBI about this and they suggest I use...

<if> HTTP_REFERER CONTAINS "<script" //=
OR HTTP_REFERER CONTAINS "%3CSCRIPT"
<HTMLFORM> &IBI_HTML_DIR/redirect.html
<EXIT>
<endif>

...in my site.wfs file which should catch this parameter in the URL and redirect it out of the report, except what happens is that the report preloader is only sent http://[servername]/ibi_apps/WFServlet as it's URL and the alert box still pops up, only after the preloader runs does the redirect page load (it will catch the XSS attack then).

I also tried searching the QUERY_STRING instead of the HTML_REFERER but the parameter comes up blank instead of "%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT/%3E".

Has anyone run into an issue like this and can help me out? It would be greatly appreciated, thanks.

Eric


dev: WF 7.6.5 w/IIS + Tomcat

prod: WF 7.6.5 w/IIS + Tomcat
September 23, 2007, 10:43 AM
dhagen
That preloader thread was a little long - and I drank a little too much last night - to completely digest. So if I dumb this down, you would like to stop any request that hits the webfocus web application that contain a parameter value that has "<script" in it.

I would suggest looking into implementing a servlet filter that will listen for all requests to /ibi_apps. You could have the filter then iterate through the parameter values and check for the offending value. The the filter could then forward the request to a safe and simple error message via a jsp.

Thoughts?


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
September 25, 2007, 02:47 PM
.eric
Thanks for the reply, that is exactly what we were looking to do but not exactly sure how.

Any references that can help me accomplish this?


dev: WF 7.6.5 w/IIS + Tomcat

prod: WF 7.6.5 w/IIS + Tomcat
September 25, 2007, 03:21 PM
dhagen
Do you know Java? If not, pm me your email. I'll try to get something to you by early next week. It is not much work (it should only be approx 20 lines of java code), but I don't have a lot of down time these days.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
September 25, 2007, 03:46 PM
.eric
I do but I'm not the best at it. If I could even get a reference to a website that shows something similar I can modify it to my needs. Either way...thanks.


dev: WF 7.6.5 w/IIS + Tomcat

prod: WF 7.6.5 w/IIS + Tomcat