Is there a way in WebFOCUS to loop through all passed Params?
I ask, because I've attempted to used "IBI_XSS_Protection" and "IBI_XSS_Mode_Block" to prevent unwanted values within our params like "%27%2Balert%28179%29%2B%27" added to our query strings and it doesn't seem to work.
My thought is to write a separate fex and include it within all outward facing fexes that checks for specific chars that should never exist like "+" or "'" and wipe the vars entirely if they do.
Anyone had to do this?This message has been edited. Last edited by: GavinL,
- FOCUS Man, just FOCUS! ----------------------------- Product: WebFOCUS Version: 8.1.04 Server: Windows 2008 Server
January 05, 2017, 02:15 PM
Waz
I haven't done it, but my first thought was to use -? & SAVE
I threw this together, not sure why its prefixes the save with a 'as.'
Also not sure if it gets all &vars, but seems to have them all.
-? & SAVE AS passvars
FILEDEF PASSED_VARS DISK FOCCACHE/as.passvars
EX -LINES * EDAPUT MASTER,PASSED_VARS,CV,FILE
FILENAME=PASSED_VARS, SUFFIX=FIX, $
SEGNAME=PASSED_VARS, $
FIELD=VARIABLE, ALIAS= ,A500,A500,$
EDAPUT*
-RUN
TABLE FILE PASSED_VARS
PRINT VARIABLE
END
Waz...
Prod:
WebFOCUS 7.6.10/8.1.04
Upgrade:
WebFOCUS 8.2.07
OS:
Linux
Outputs:
HTML, PDF, Excel, PPT
In Focus since 1984
Pity the lost knowledge of an old programmer!
January 05, 2017, 02:39 PM
Tony A
quote:
-? & SAVE AS passvars
Use SAVE passvars instead to get the filename that you thought that should result.
Yes, I know, who would have thought that!
Happy New Year!
T
In FOCUS since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2
WebFOCUS App Studio 8.2.06 standalone on Windows 10
January 05, 2017, 03:07 PM
Waz
Well spotted, Explains it all.
Waz...
Prod:
WebFOCUS 7.6.10/8.1.04
Upgrade:
WebFOCUS 8.2.07
OS:
Linux
Outputs:
HTML, PDF, Excel, PPT
In Focus since 1984
Pity the lost knowledge of an old programmer!
January 05, 2017, 04:15 PM
GavinL
Interesting concept, but wow, that would mean I have to loop through each record and parse out the Var name and the Value before validating the value doesn't have invalid characters.
Humm.. I'll have to let my brain drain on that a little bit.
I actually changed up your way a little, because it was throwing errors on -LINES for some reason.
- FOCUS Man, just FOCUS! ----------------------------- Product: WebFOCUS Version: 8.1.04 Server: Windows 2008 Server
January 05, 2017, 04:23 PM
Waz
If its run from the repository, just add -MRNOEDIT to the line.
-MRNOEDIT EX -LINES * EDAPUT MASTER,PASSED_VARS,CV,FILE
Whats happening, its that WebFOCUS sees the EX and tries to locate the fex -LINES
Waz...
Prod:
WebFOCUS 7.6.10/8.1.04
Upgrade:
WebFOCUS 8.2.07
OS:
Linux
Outputs:
HTML, PDF, Excel, PPT
In Focus since 1984
Pity the lost knowledge of an old programmer!
January 09, 2017, 03:18 PM
GavinL
I ended up, just going with an included FEX, that has all possible vars, which after some research is only 6 or so possible. It validates each var and if that var has either a single quote or a less than character, it's logged and rejected.
Example, of fex code with all my real vars removed.
-* Check for either Single Quotes or Less than sign.
-* 39 = '
-* 60 = <
-DEFAULTH &MYVAR = _FOC_NULL;
-*HubExplorer
-IF &MYVAR CONTAINS HEXBYT(39, 'A1') OR &MYVAR CONTAINS HEXBYT(60, 'A1') THEN GOTO XSSDETECTED;
-GOTO CONTINUEPROCESS
-XSSDETECTED
-INCLUDE IBFS:/WFC/Repository/MYDom/TextLogVars.fex
-HTMLFORM BEGIN
<html>
<body>
XSS Detected - User Access Denied
</body>
</html>
-HTMLFORM END
-EXIT
-CONTINUEPROCESS
- FOCUS Man, just FOCUS! ----------------------------- Product: WebFOCUS Version: 8.1.04 Server: Windows 2008 Server
January 11, 2017, 08:59 AM
GavinL
Well, we found another way..
Admin Console->Configuration->Custom Settings
# Managed Internal Variables to secure against XSS Attacks VARNAME1(alpha) VARNAME2(alpha) VARNAME3(alpha)
Syntax: How to Enable Validation and Control of Variables
The following <SET> command enables validation and control of WebFOCUS Client variables passed from a cookie or form:
<SET> variable (option)
where:
variable
Is the name of the WebFOCUS Client variable.
option
Can be one of the following:
pass
Specifies that the variable will be treated as a Dialogue Manager amper variable on the WebFOCUS Reporting Server. This is the default value.
dontpass
Specifies that the variable will not be passed to the WebFOCUS Reporting Server.
protect
Specifies that the variable cannot be set from the browser.
Note: The IBIF_focexec and IBIF_ex variables should not be restricted with the protect option. Doing so would prevent WebFOCUS from executing the procedure.
number
Specifies that the variable can only be numeric.
alpha
Specifies that the variable can only have alphanumeric characters (0-9, a-z) and periods (.).
string
Specifies that all characters are valid.
length=n
Sets the maximum length of a variable in characters. The length is unlimited, by default.
This message has been edited. Last edited by: GavinL,
- FOCUS Man, just FOCUS! ----------------------------- Product: WebFOCUS Version: 8.1.04 Server: Windows 2008 Server
January 11, 2017, 10:03 AM
GavinL
So we ran into an issue with one of our variables that had spaces, cause WF to reject the variable and give some weird error that would pop up for XSS attacks. Here is what we did to resolve it.
# Managed Internal Variables to secure against XSS Attacks
<SET> VARNAME1(alpha)
<SET> VARNAME1(alpha)
<IF> VARNAME1 CONTAINS "'" OR VARNAME1 CONTAINS "<"
<SET> VARNAME1(alpha)
<ELSE>
<SET> VARNAME1(string)
<ENDIF>
This allows us to still validate against XSS attacks and still allow spaces which the browser auto replaces with %20.
Hope this helps the next poor soul that has to go through this $#!+
- FOCUS Man, just FOCUS! ----------------------------- Product: WebFOCUS Version: 8.1.04 Server: Windows 2008 Server