Configuring XSS (cross-site scripting) validation
XSS is a way for malicious software to add unwanted scripts to client machine pages. Infor Security provides ways to protect your web pages from these attacks.
The table in this section describes the features that are available and how to enable them.
Property | Values / Description | |
---|---|---|
xssvalidation.isenabled |
This property applies only to LFS. True= Enable XSS validation. False = Disable XSS validation. Note:
When XSS validation is enabled, you are required to add the following property in the
|
|
validators |
|
|
exact.tags |
The exact.tag list is a list of various specific sequences of characters or strings of characters that are not permitted to be used in URLs. The list is used to detect specific word with an exact match. The words in the list are comma-separated. If a space is used in the list, the matching word will include the space. For the validation to be effective, the URL encoded version of certain characters (for example :/<> and blank space) may have to be added as separate words. If the exact.tags property is missing from the properties file, a default set will be used instead. (The example file below shows the default.) Make sure you define values if the exact.tags is enabled in the properties file. If no values are defined, matching will be disabled which might be a security risk depending on your situation. Default value: "javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a" |
|
ignore.tags |
Use the ignore.tags list to add words that are not violations but might be detected as such. Example: Suppose the exact.tags list includes the word "href," but the name "Schreffer" might legitimately occur in your data set. You can add "schreffer" to the ignore.tags list to ensure that this specific string does not trigger a violation. |
|
xsswalkbackenabled |
When this optional property is enabled, it reviews input identified as potentially malicious. If the validator finds something in a request it thinks is malicious, when this flag is enabled, the validator performs some additional evaluation of the entire request to try to determine if the request is in fact okay (which would mean the initial malicious report was a false positive). This property is enabled by default. Typically, it should remain enabled. Disabling this property (by setting it to false) might increase the risk of false positives. |
|
getdecodedisabled | If this property exists in your file, make sure it is disabled (false) unless an Infor representative tells you to enable it. (Most customers do not need this property.) | |
sqlinjection.validation.mode |
Use the There are two modes available: |
|
Validation Mode | Description | |
sqlinjection.validation.mode=default
|
This default setting will be used to detect SQL injections. The system uses this mode when the sqlinjection.validation.mode property is not set. | |
sqlinjection.validation.mode=advanced |
This validation mode will use an additional set of advanced methods to detect SQL injections. Note:
Using the advanced mode may have performance implications. |
Example xssvalidator.properties file
Most properties in this file are disabled by default. Enable all properties that you want to use.
xssvalidation.isenabled=true
validators=ScriptTag,SQLInjection,Hex,LdapInjection
exact.tags=javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a,yourexacttag1,yourexacttag2,yourignoretag3
ignore.tags=yourignoretag1,yourignoretag2,yourignoretag3
xsswalkbackenabled=true