Patrick-Dussault

Tech Tip : CA Single Sign-On : Preventing Cross Site Scripting in Federation Web Services URLs.

Discussion created by Patrick-Dussault Employee on Oct 7, 2016

Question :

 

How can I configure my Federation Web Services (affwebservices, Web Agent Option Pack) to prevent cross site scripting attacks on Federation URLs?

 

Answer :

 

Federation Web Services (available as part of the Web Agent Option Pack) does not provide checking for cross site scripting (XSS or CSS) attacks. Rather, it relies on the standard Web Agent to perform CSS checking. The Web Agent must have the following settings configured in the Agent Configuration Object (ACO).

 

"CSSChecking=yes"
"BadCSSChars=<,',>"

 

Note: BadCSSChars should contain the literal characters for the following:

 

left angle bracket - <
single quote - '
right angle bracket - >

 

All requests bound for Federation Web Services will be intercepted and checked by the Web Agent before being referred or proxied to the servlet container for Federation Web Services.

 

Additional Information:

 

See the Web Agent Guide for further details. This applies all CA Single Sign-On ( siteminder ) versions

 

KB : TEC491841

Outcomes