Configuring XSS (cross-site scripting) validation

XSS is a way for malicious software to add unwanted scripts to client machine pages. Infor Security provides ways to protect your web pages from these attacks.

The following table describes the features that are available and how to enable them.


Property	Values / Description
xssvalidation.isenabled	True= Enable XSS validation. False = Disable XSS validation. Note: When XSS validation is enabled, you are required to add the following property in the `RMApiInit.properties` file: `xss_validation_moveto_server=basermqueryevent`
validators	ScriptTag: Enables detection of XSS attacks by checking for various scripting tags in data. SQLInjection: Enables detection of SQL statements or statement fragments in data. Hex: Enables detection of XSS attacks by checking for various scripting tags in data that are encoded in HEX. Example: "<" is encoded as "%3C" LdapInjection: This validator is used to detect attempts to circumvent normal LDAP calls. BashCodeInjection: Enables detection of injection attacks that attempt to run bash commands on the server
exact.tags	The exact.tag list is a list of various specific sequences of characters or strings of characters that are not permitted to be used in URLs. The list is used to detect specific word with an exact match. The words in the list are comma-separated. If a space is used in the list, the matching word will include the space. For the validation to be effective, the URL encoded version of certain characters (for example :/<> and blank space) may have to be added as separate words. If the exact.tags property is missing from the properties file, a default set will be used instead. (The example file below shows the default.) Make sure you define values if the exact.tags is enabled in the properties file. If no values are defined, matching will be disabled which might be a security risk depending on your situation. Default value: "javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a"
ignore.tags	Use the ignore.tags list to add words that are not violations but might be detected as such. Example: Suppose the exact.tags list includes the word "href," but the name "Schreffer" might legitimately occur in your data set. You can add "schreffer" to the ignore.tags list to ensure that this specific string does not trigger a violation.
xsswalkbackenabled	When this optional property is enabled, it reviews input identified as potentially malicious. If the validator finds something in a request it thinks is malicious, when this flag is enabled, the validator performs some additional evaluation of the entire request to try to determine if the request is in fact okay (which would mean the initial malicious report was a false positive). This property is enabled by default. Typically, it should remain enabled. Disabling this property (by setting it to false) might increase the risk of false positives.
getdecodedisabled	If this property exists in your file, make sure it is disabled (false) unless an Infor representative tells you to enable it. (Most customers do not need this property.)
sqlinjection.validation.mode	Use the `sqlinjection.validation.mode` property to configure the method of detecting SQL statements or statement fragments in data. This property works only when the `validators` property value contains `SQLInjection`. There are two modes available:
	Validation Mode	Description
	`sqlinjection.validation.mode=default`	This default setting will be used to detect SQL injections. The system uses this mode when the sqlinjection.validation.mode property is not set.
	sqlinjection.validation.mode=advanced	This validation mode will use an additional set of advanced methods to detect SQL injections. Note: Using the advanced mode may have performance implications.

Check to see if the following file exists:

Infor Lawson System Foundation: LAWDIR/system/xssvalidator.properties

Landmark: LASYSDIR/xssvalidator.properties
If the file does exist, continue with step 3.

If the file does not exist, perform a call to the SSO servlet to generate this file. Type

http/s:YourDomain.YourInforServer.com:#/SSOServlet

The file should exist in the location specified in step 1.
Open xssvalidator.properties in an editor and configure all properties that you want to use. Descriptions are in the table that follows.
The file must have the following contents:
```
xssvalidation.isenabled=true
validators=ScriptTag,SQLInjection 

exact.tags=javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a
ignore.tags= 
```
Configure all properties that you want to use. Descriptions are in the table that follows.
After you are finished configuring, verify that XSS validation is working.
1. Restart your servlet container.
2. Perform a call to the Infor Lawson SSO servlet. You can use the example URL below.
```
https://your.domain.com/sso/SSOServlet?_ssoOrigUrl=https%3A%2F%2Fyour.domain.com
%2Fsso%2FSSOServlet%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%68%65%6C%6C%6F%27%29%3B
%3C%2F%73%63%72%69%70%74%3E%22
```
  where "your.domain.com" is your Infor Lawson installation location.
  
  If XSS validation is configured correctly, the browser returns a message similar to the following:
  
  "Your request contained illegal input and was canceled. Contact your system administrator for further details."
  
  Note: If XSS validation is not configured, launching this or a similar URL results in a pop-up dialog box that simply says, "hello."
When you have finished all XSS validation configuration, perform a system restart of the security server (LASE) and any application servers that deploy the SSOServlet.

Example xssvalidator.properties file

Most properties in this file are disabled by default. Enable all properties that you want to use.

xssvalidation.isenabled=true
validators=ScriptTag,SQLInjection,Hex,LdapInjection 

exact.tags=javascript:,vbscript,href=,script:,javascript%3a,href%3d,script%3a,yourexacttag1,yourexacttag2,yourignoretag3
ignore.tags=yourignoretag1,yourignoretag2,yourignoretag3
xsswalkbackenabled=true