 |
|||||
|
As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Join the TIBCO Community
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community. | |||||
Focal Point 
Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point XSS problem with Report Preloader
Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point XSS problem with Report Preloader Read-Only TopicGo | Search | Notify | Tools |
| XSS problem with Report Preloader | Login/Join |
| Platinum Member |
So within our reports we use a report preloader, it's basically what Tony used in this thread: https://forums.informationbuilders.com/groupee/forums/a/...1057331/m/7091069641 We had a security audit done and found out we are exposed to XSS attacks. Basically entering something like "%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT/%3E" in place of a parameter in the URL. I spoke with IBI about this and they suggest I use... <if> HTTP_REFERER CONTAINS "<script" //= OR HTTP_REFERER CONTAINS "%3CSCRIPT" <HTMLFORM> &IBI_HTML_DIR/redirect.html <EXIT> <endif> ...in my site.wfs file which should catch this parameter in the URL and redirect it out of the report, except what happens is that the report preloader is only sent http://[servername]/ibi_apps/WFServlet as it's URL and the alert box still pops up, only after the preloader runs does the redirect page load (it will catch the XSS attack then). I also tried searching the QUERY_STRING instead of the HTML_REFERER but the parameter comes up blank instead of "%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT/%3E". Has anyone run into an issue like this and can help me out? It would be greatly appreciated, thanks. Eric dev: WF 7.6.5 w/IIS + Tomcat prod: WF 7.6.5 w/IIS + Tomcat | ||
|
| Virtuoso |
That preloader thread was a little long - and I drank a little too much last night - to completely digest. So if I dumb this down, you would like to stop any request that hits the webfocus web application that contain a parameter value that has "<script" in it. I would suggest looking into implementing a servlet filter that will listen for all requests to /ibi_apps. You could have the filter then iterate through the parameter values and check for the offending value. The the filter could then forward the request to a safe and simple error message via a jsp. Thoughts? "There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott | |||
|
| Platinum Member |
Thanks for the reply, that is exactly what we were looking to do but not exactly sure how. Any references that can help me accomplish this? dev: WF 7.6.5 w/IIS + Tomcat prod: WF 7.6.5 w/IIS + Tomcat | |||
|
| Virtuoso |
Do you know Java? If not, pm me your email. I'll try to get something to you by early next week. It is not much work (it should only be approx 20 lines of java code), but I don't have a lot of down time these days. "There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott | |||
|
| Platinum Member |
I do but I'm not the best at it. If I could even get a reference to a website that shows something similar I can modify it to my needs. Either way...thanks. dev: WF 7.6.5 w/IIS + Tomcat prod: WF 7.6.5 w/IIS + Tomcat | |||
|
| Powered by Social Strata |
 | Please Wait. Your request is being processed... |
Read-Only TopicFocal Point Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point XSS problem with Report Preloader
Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point XSS problem with Report PreloaderCopyright © 1996-2020 Information Builders
| View $GS_USERNAME's Public Profile |
| Add $GS_USERNAME to my Ignore List |
| View Recent Posts by $GS_USERNAME |
| Notify me of New Posts by $GS_USERNAME |