Configuring XSS (cross-site scripting) validation

XSS is a way for malicious software to add unwanted scripts to client machine pages. Infor Security provides ways to protect your web pages from these attacks.

The table in this section describes the features that are available and how to enable them.

Property Values / Description
xssvalidation.isenabled

This property applies only to LFS.

True= Enable XSS validation.

False = Disable XSS validation.

Note: 

When XSS validation is enabled, you are required to add the following property in the RMApiInit.properties file:

xss_validation_moveto_server=basermqueryevent

validators
  • ScriptTag: Enables detection of XSS attacks by checking for various scripting tags in data.

  • SQLInjection: Enables detection of SQL statements or statement fragments in data.

  • Hex: Enables detection of XSS attacks by checking for various scripting tags in data that are encoded in HEX.

    Example: "<" is encoded as "%3C"

  • LdapInjection: This validator is used to detect attempts to circumvent normal LDAP calls.

  • BashCodeInjection: Enables detection of injection attacks that attempt to run bash commands on the server

exact.tags

The exact.tag list is a list of various specific sequences of characters or strings of characters that are not permitted to be used in URLs. The list is used to detect specific word with an exact match.

The words in the list are comma-separated. If a space is used in the list, the matching word will include the space.

For the validation to be effective, the URL encoded version of certain characters (for example :/<> and blank space) may have to be added as separate words.

If the exact.tags property is missing from the properties file, a default set will be used instead. (The example file below shows the default.)

Make sure you define values if the exact.tags is enabled in the properties file. If no values are defined, matching will be disabled which might be a security risk depending on your situation.

Default value: "javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a"

ignore.tags

Use the ignore.tags list to add words that are not violations but might be detected as such.

Example:

Suppose the exact.tags list includes the word "href," but the name "Schreffer" might legitimately occur in your data set. You can add "schreffer" to the ignore.tags list to ensure that this specific string does not trigger a violation.

xsswalkbackenabled

When this optional property is enabled, it reviews input identified as potentially malicious. If the validator finds something in a request it thinks is malicious, when this flag is enabled, the validator performs some additional evaluation of the entire request to try to determine if the request is in fact okay (which would mean the initial malicious report was a false positive).

This property is enabled by default. Typically, it should remain enabled. Disabling this property (by setting it to false) might increase the risk of false positives.

getdecodedisabled If this property exists in your file, make sure it is disabled (false) unless an Infor representative tells you to enable it. (Most customers do not need this property.)
sqlinjection.validation.mode

Use the sqlinjection.validation.mode property to configure the method of detecting SQL statements or statement fragments in data. This property works only when the validators property value contains SQLInjection.

There are two modes available:

Validation Mode Description
sqlinjection.validation.mode=default This default setting will be used to detect SQL injections. The system uses this mode when the sqlinjection.validation.mode property is not set.
sqlinjection.validation.mode=advanced

This validation mode will use an additional set of advanced methods to detect SQL injections.

Note: 

Using the advanced mode may have performance implications.

  1. Check to see if the following file exists:

    Infor Lawson System Foundation: LAWDIR/system/xssvalidator.properties

    Landmark: LASYSDIR/xssvalidator.properties

  2. If the file does exist, continue with step 3.

    If the file does not exist, perform a call to the SSO servlet to generate this file. Type

    http/s:YourDomain.YourInforServer.com:#/SSOServlet

    The file should exist in the location specified in step 1.

  3. Open xssvalidator.properties in an editor and configure all properties that you want to use. Descriptions are in the table that follows.

    The file must have the following contents:

    xssvalidation.isenabled=true
    validators=ScriptTag,SQLInjection 
    
    exact.tags=javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a
    ignore.tags= 
    
  4. Configure all properties that you want to use. Descriptions are in the table that follows.
  5. After you are finished configuring, verify that XSS validation is working.
    1. Restart your servlet container.
    2. Perform a call to the Infor Lawson SSO servlet. You can use the example URL below.
      https://your.domain.com/sso/SSOServlet?_ssoOrigUrl=https%3A%2F%2Fyour.domain.com
      %2Fsso%2FSSOServlet%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%68%65%6C%6C%6F%27%29%3B
      %3C%2F%73%63%72%69%70%74%3E%22

      where "your.domain.com" is your Infor Lawson installation location.

      If XSS validation is configured correctly, the browser returns a message similar to the following:

      "Your request contained illegal input and was canceled. Contact your system administrator for further details."

      Note: 

      If XSS validation is not configured, launching this or a similar URL results in a pop-up dialog box that simply says, "hello."

  6. When you have finished all XSS validation configuration, perform a system restart of the security server (LASE) and any application servers that deploy the SSOServlet.

Example xssvalidator.properties file

Most properties in this file are disabled by default. Enable all properties that you want to use.

xssvalidation.isenabled=true
validators=ScriptTag,SQLInjection,Hex,LdapInjection 

exact.tags=javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a,yourexacttag1,yourexacttag2,yourignoretag3
ignore.tags=yourignoretag1,yourignoretag2,yourignoretag3
xsswalkbackenabled=true