Layer7 Access Management

Tech Tip : CA Single Sign-On : Preventing Cross Site Scripting in Federation Web Services URLs.

  • 1.  Tech Tip : CA Single Sign-On : Preventing Cross Site Scripting in Federation Web Services URLs.

    Posted 10-07-2016 05:43 AM

    Question :

     

    How can I configure my Federation Web Services (affwebservices, Web Agent Option Pack) to prevent cross site scripting attacks on Federation URLs?

     

    Answer :

     

    Federation Web Services (available as part of the Web Agent Option Pack) does not provide checking for cross site scripting (XSS or CSS) attacks. Rather, it relies on the standard Web Agent to perform CSS checking. The Web Agent must have the following settings configured in the Agent Configuration Object (ACO).

     

    "CSSChecking=yes"
    "BadCSSChars=<,',>"

     

    Note: BadCSSChars should contain the literal characters for the following:

     

    left angle bracket - <
    single quote - '
    right angle bracket - >

     

    All requests bound for Federation Web Services will be intercepted and checked by the Web Agent before being referred or proxied to the servlet container for Federation Web Services.

     

    Additional Information:

     

    See the Web Agent Guide for further details. This applies all CA Single Sign-On ( siteminder ) versions

     

    KB : TEC491841