The best way to prevent cross-site scripting attacks is to let the server only static pages. This, however, can be hard in a dynamic world.
One typical attack is: you request a non-existent resource where the name is actual a script tag. That causes the server to respond a html page saying that this page does not exists – now imbedded with the script…. And this script can redirect you to a hostile page.
GET /iDontExists<script>window.location.href="http://www.hostile.com”</script>.html
The point is that it is the IceBreak server which now serves a page containing the bad redirect, which is under the radar of the browsers security system.
…Tricky!
Normally IceBreak will HTML-encode the response – however some hackers might be ahead of the encoding.
The cure to be 100% sure is however relativly easy top implement:
Step 1:
You need to customize the 404 page (403 and 500) so they do not feed back the request resource - make them produce a static response:
Now copy the
/www/YourServer/System/errors
to
/www/YourServer/System/shared/errors
Note “shared” will not be replaced from upgrade to upgrade, so the modifications you make here are safe.
The erros folder contain default documents to respond – Now modify them to customer need:
The error messages have always the $msg marker which causes the cross-site scripting vulnerability – so simply remove the following in red:
<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252"/>
<link rel="stylesheet" type="text/css" href="/System/Styles/IceBreak.css"/>
<link rel="stylesheet" type="text/css" href="/System/Skins/IceBreakAdmin/application.css" />
</head>
<body>
<div id="TitlePane">
<div id="TitlePane-Text">Error 404</div>
</div>
<img src="/system/images/server_information32.gif" alt="Current server" class="TitlePaneIcon" />
<p>The resource you requested was not found or does no longer exists</p>
<p>The technical description is:</p>
<div><b>$msg</b></div>
</body>
</html>
Step 2:
Menu links: if you have a construction in your code where menus navigate to specific pages – a hacker can make them point to a hostile page:
If any of your code ends up with a construction similar to:
GET /navigating.aspx?function=myWebApp.aspx
That can easy be hacked and changed to:
GET /navigating.aspx?function=http://www.hostilePage.php
So to prevent that - only give the client side a token / a key to the application to load – never a direct link. The above can be changed to:
GET /navigating.aspx?function=1
Where you on the server redirect or load or ajax the following
Chain reqNum(‘function’) myMenuFile;
If %found;
Redirect(myMenuOption); // From the menu file
Endif;
The customer has installed 0433 and tried as per your instructions but unfortunately this does not seem to work, IceBreak is still responding with the default 404 page.
We have a major issue here with Icecap where, if an Icecap session times out the job does not close completely and sometimes when the User opens the next session it automatically picks up the credentials from the previous one. We do not seem to have a means to monitor for a session time out and close the job correctly or to advise the User that the session has timed out.
I know it has been reported there is no solution. However I would like to explain that this is a major issue for us and is a potential security issue as well as User unfriendly. Any advice on this subject would be appreciated.
For your information – see below an issue report from one of our User testers.
Testing menu option 13 Transfer Stock To Another Store
I created then deleted a number of transfers.
Sometimes I was allowed to delete the transfer and sometimes I was asked to sign in first. Instead of signing in I hit cancel, returned to the main menu and was then able to select Option 13 and delete without being asked to Sign on.
After successfully creating and deleting a transfer I have returned to the main menu, upon selecting Option 13 I am immediately asked to Sign on:
Issue - The sign on request seeks completely random.
This is controlled by the “webconfig.xml” which is located in the IFS on the server root path.
If you search in the “IceBreak Programmers Guide” you can find a number of references to the use of webconfig.xml, However there is not a chapter on its own that completely describe all the features of webconfig.xml – we will of course change that:
Here is a sample:
( Note the bolded tag – this is what we will talk about)
<?xml version="1.0" encoding="utf-8" ?>
<!--
Note all xxx_ tags and attibutes a remarks.
You can access the webconfig at runtime with. However, updates as unpredictable behaviors.
pMyConfig = getWEbConfig();
-->
<configuration>
<!-----------------------------------------------------------------------------------------
The SSL tag controls the version of SSL or/and TLS used if the server is put in
HTTPS mode:
protocolLevel:
0 : TLS with SSL Version 3.0 and SSL Version 2.0 compatibility
2 : SSL Version 2.0 only
3 : SSL Version 3.0 only - recommended
4 : TLS Version 1 only
5 : TLS Version 1 with SSL Version 3.0 compatibility
timeout, wait timer in seconds:
0 : Forever
-->
<ssl
protocolLevel="4"
timeout="10"
/>
<!----------------------------------------------------------------------------------------
Any additional response headers required to make your application work.
These headers are added for both static and dynamic responses (both the webserver
and the application server provide these headers)
-->
<headers>
<var name="Access-Control-Allow-Origin" value="http://www.icebreak.org"/>
<var name="Access-Control-Allow-Credentials" value="true"/>
<var name="Access-Control-Expose-Headers" value="FooBar"/>
</headers>
<!----------------------------------------------------------------------------------------
The globalvar tag contains global constants you can access with the globalGetVar()
on to of the dynamic get/set-globalvar
This is a perfect spot for site configuration
-->
<globalvar>
<var name="Company" value="System & Method"/>
</globalvar>
<!----------------------------------------------------------------------------------------
The session tag handles the behavior of the application server:
The cookie attribute is extra parameters you can append for the session
cookie.
The exitPgm API is called when a session is created and when it
is terminated to let you control custom housekeeping
See the ICEBREAK/QSAMPLE source file - ICESESSION for an example
-->
<session
exitPgm="SVCUDV/ICESESSION"
xxx_cookie="Version=1; Path=/; Discard; secure; HttpOnly"
cookie="Version=1; Path=/; Discard"
encrypt="true"
encryptionKey="MySecret"
/>
<!----------------------------------------------------------------------------------------
envvar is the ENVVAR for the application server job. If you utilize the RPG/JAVA
instead of the IceBreak native java, you can set up the RPG/JAVA classpath and
propertylist here. Don't confuse this by the java tag which is only for IceBreak
native JVM.
Other envvar like PATH etc can be set here if you are using QSH, PASE or other unix
like feature relying on environment vars.
-->
<envvar>
<var name="CLASSPATH" value="/udv/icebreak/java/IceBreakTools.jar"/>
<var name="QIBM_RPG_JAVA_PROPERTIES" value="-Djava.awt.headless=true;-Djava.version
=1.4;-Dos400.stderr=file:stderr.txt;"/>
</envvar>
<!----------------------------------------------------------------------------------------
The java tag controls the native IceBreak JVM. You need to set up the classpath
where your classes and jars can be found and also the version of java requires to
run your java application
The JVM used is any of LIC-JVM's provide by your IBMi. For more information - Read
the "IceBreak programmers guide" - java section
-->
<java
classpath="/www/systest/java/icebreaktest.jar"
xxx_classpath="/www/systest/java/icebreaktest.jar:/www/systest/java/lib/sqljdbc.jar"
version="1.5">
<property name="test" value="demo"/>
<property name="t2" value="zzz"/>
<property name="driver" value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/>
</java>
<!----------------------------------------------------------------------------------------
The response content will be compressed if the size is greater the threshold limit
and if the client supports the algorithm.
There is a small performance penalty in the compression algorithm, so don't set
the threshold too low (less than 4K)
GZIP is the supported compression algorithm
-->
<contentEncoding
type="GZIP"
threshold="40960"
/>
<!-----------------------------------------------------------------------------------------
The upload tag describes a virtual path for the physical target for any HTTP upload
multipartmime and the HTTP PUT method.
-->
<upload allowPUT="true" putExitPgm="*LIBL/HANDLEPUT">
<map alias="upload" path="/upload"/> <!-- upload goes to the IFS root "upload"
folder" -->
<map alias="dangerus" path="."/> <!-- Never do this!! it uploads to the icebreak
server root -->
<map alias="superbad" path="/"/> <!-- Never never do this!! it allows the user to
access the total IFS -->
<map alias="*" path="/tmp"/> <!-- catch all - goes to /tmp -->
</upload>
<!----------------------------------------------------------------------------------------
Hives is virtual Paths and maps to the associated application library and library
list.
Good practice is to keep a special char in the hive name so it will be confused by
at physical path in the IFS
-->
<hives>
<map alias="-develop" path="/udv/icebreak/system" pgmSource="/udv/icebreak/system"
lib="SVCUDV" />
<map alias="----xx" pluginProcedure="myUrlMapper" path="/www/development/icemnu"
lib="ICEMNUDEV" />
<map alias="-demo" dftdoc="index.html" path="/www/demo" lib="DEMO" libl="DEMO QGPL
SYSTEST NORTHWIND" />
</hives>
<!-----------------------------------------------------------------------------------------
Mime types maps the files suffix with the content type required in the HTTP
protocol.
Also any file suffix can trigger the activation of the application server - either
as a program call, a service program procedure call or a java method call.
Keep this list optimized with only used mime types in your application (don't
bloat this list!!)
Used but unlisted mime-types will occur as warnings in the joblog
-->
<mimeTypes>
<map suffix="css" contentType="text/css" />
<map suffix="jar" contentType="application/java" />
<map suffix="js" contentType="application/x-javascript" />
<map suffix="png" contentType="image/png" />
<map suffix="gif" contentType="image/gif" />
<map suffix="jpg" contentType="image/jpeg" />
<map suffix="jpeg" contentType="image/jpeg" />
<map suffix="html" contentType="text/html" />
<map suffix="ico" contentType="image/x-icon" />
<map suffix="aspx" contentType="text/html" callType="PGM"/>
<map suffix="asmx" contentType="text/html" callType="SRVPGM"/>
<map suffix="pgm" contentType="text/html" callType="PGM"/>
<map suffix="asp" contentType="text/html" callType="PGM"/>
<map suffix="pdf" contentType="application/pdf" />
</mimeTypes>
</configuration>
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
Hi;
The best way to prevent cross-site scripting attacks is to let the server only static pages. This, however, can be hard in a dynamic world.
One typical attack is: you request a non-existent resource where the name is actual a script tag. That causes the server to respond a html page saying that this page does not exists – now imbedded with the script…. And this script can redirect you to a hostile page.
The point is that it is the IceBreak server which now serves a page containing the bad redirect, which is under the radar of the browsers security system.
…Tricky!
Normally IceBreak will HTML-encode the response – however some hackers might be ahead of the encoding.
The cure to be 100% sure is however relativly easy top implement:
Step 1:
You need to customize the 404 page (403 and 500) so they do not feed back the request resource - make them produce a static response:
Now copy the
/www/YourServer/System/errors
to
/www/YourServer/System/shared/errors
Note “shared” will not be replaced from upgrade to upgrade, so the modifications you make here are safe.
The erros folder contain default documents to respond – Now modify them to customer need:
The error messages have always the $msg marker which causes the cross-site scripting vulnerability – so simply remove the following in red:
<html> <head> <meta http-equiv=Content-Type content="text/html; charset=windows-1252"/> <link rel="stylesheet" type="text/css" href="/System/Styles/IceBreak.css"/> <link rel="stylesheet" type="text/css" href="/System/Skins/IceBreakAdmin/application.css" /> </head> <body> <div id="TitlePane"> <div id="TitlePane-Text">Error 404</div> </div> <img src="/system/images/server_information32.gif" alt="Current server" class="TitlePaneIcon" /> <p>The resource you requested was not found or does no longer exists</p> <p>The technical description is:</p> <div><b>$msg</b></div> </body> </html>Step 2:
Menu links: if you have a construction in your code where menus navigate to specific pages – a hacker can make them point to a hostile page:
If any of your code ends up with a construction similar to:
That can easy be hacked and changed to:
So to prevent that - only give the client side a token / a key to the application to load – never a direct link. The above can be changed to:
Where you on the server redirect or load or ajax the following
Chain reqNum(‘function’) myMenuFile; If %found; Redirect(myMenuOption); // From the menu file Endif;Best regards,
Niels Liisberg
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
Thanks for this.
Is there a minimum IceBreak build required for this to work as I've never been able to customize the 500 error page?
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
The customer has installed 0433 and tried as per your instructions but unfortunately this does not seem to work, IceBreak is still responding with the default 404 page.
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
If we can make a TeamViewer session in the near future I will be happy to configure it for you.
Best regards,
Niels Liisberg
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
Hi Niels,
Separate subject
We have a major issue here with Icecap where, if an Icecap session times out the job does not close completely and sometimes when the User opens the next session it automatically picks up the credentials from the previous one. We do not seem to have a means to monitor for a session time out and close the job correctly or to advise the User that the session has timed out.
I know it has been reported there is no solution. However I would like to explain that this is a major issue for us and is a potential security issue as well as User unfriendly. Any advice on this subject would be appreciated.
For your information – see below an issue report from one of our User testers.
Testing menu option 13 Transfer Stock To Another Store
I created then deleted a number of transfers.
Sometimes I was allowed to delete the transfer and sometimes I was asked to sign in first. Instead of signing in I hit cancel, returned to the main menu and was then able to select Option 13 and delete without being asked to Sign on.
After successfully creating and deleting a transfer I have returned to the main menu, upon selecting Option 13 I am immediately asked to Sign on:
Issue - The sign on request seeks completely random.
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
There is a solution!!
You can setup you own "session end” API to do what ever cleanup required.
Best regards,
Niels Liisberg
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
Could you point me to documentation or let me know how to set this up?
Re: How to prevent Cross-Site Scripting Attacks in IceBreak
Hi;
This is controlled by the “webconfig.xml” which is located in the IFS on the server root path.
If you search in the “IceBreak Programmers Guide” you can find a number of references to the use of webconfig.xml, However there is not a chapter on its own that completely describe all the features of webconfig.xml – we will of course change that:
Here is a sample:
( Note the bolded tag – this is what we will talk about)
<?xml version="1.0" encoding="utf-8" ?> <!-- Note all xxx_ tags and attibutes a remarks. You can access the webconfig at runtime with. However, updates as unpredictable behaviors. pMyConfig = getWEbConfig(); --> <configuration> <!----------------------------------------------------------------------------------------- The SSL tag controls the version of SSL or/and TLS used if the server is put in HTTPS mode: protocolLevel: 0 : TLS with SSL Version 3.0 and SSL Version 2.0 compatibility 2 : SSL Version 2.0 only 3 : SSL Version 3.0 only - recommended 4 : TLS Version 1 only 5 : TLS Version 1 with SSL Version 3.0 compatibility timeout, wait timer in seconds: 0 : Forever --> <ssl protocolLevel="4" timeout="10" /> <!---------------------------------------------------------------------------------------- Any additional response headers required to make your application work. These headers are added for both static and dynamic responses (both the webserver and the application server provide these headers) --> <headers> <var name="Access-Control-Allow-Origin" value="http://www.icebreak.org"/> <var name="Access-Control-Allow-Credentials" value="true"/> <var name="Access-Control-Expose-Headers" value="FooBar"/> </headers> <!---------------------------------------------------------------------------------------- The globalvar tag contains global constants you can access with the globalGetVar() on to of the dynamic get/set-globalvar This is a perfect spot for site configuration --> <globalvar> <var name="Company" value="System & Method"/> </globalvar> <!---------------------------------------------------------------------------------------- The session tag handles the behavior of the application server: The cookie attribute is extra parameters you can append for the session cookie. The exitPgm API is called when a session is created and when it is terminated to let you control custom housekeeping See the ICEBREAK/QSAMPLE source file - ICESESSION for an example --> <session exitPgm="SVCUDV/ICESESSION" xxx_cookie="Version=1; Path=/; Discard; secure; HttpOnly" cookie="Version=1; Path=/; Discard" encrypt="true" encryptionKey="MySecret" /> <!---------------------------------------------------------------------------------------- envvar is the ENVVAR for the application server job. If you utilize the RPG/JAVA instead of the IceBreak native java, you can set up the RPG/JAVA classpath and propertylist here. Don't confuse this by the java tag which is only for IceBreak native JVM. Other envvar like PATH etc can be set here if you are using QSH, PASE or other unix like feature relying on environment vars. --> <envvar> <var name="CLASSPATH" value="/udv/icebreak/java/IceBreakTools.jar"/> <var name="QIBM_RPG_JAVA_PROPERTIES" value="-Djava.awt.headless=true;-Djava.version =1.4;-Dos400.stderr=file:stderr.txt;"/> </envvar> <!---------------------------------------------------------------------------------------- The java tag controls the native IceBreak JVM. You need to set up the classpath where your classes and jars can be found and also the version of java requires to run your java application The JVM used is any of LIC-JVM's provide by your IBMi. For more information - Read the "IceBreak programmers guide" - java section --> <java classpath="/www/systest/java/icebreaktest.jar" xxx_classpath="/www/systest/java/icebreaktest.jar:/www/systest/java/lib/sqljdbc.jar" version="1.5"> <property name="test" value="demo"/> <property name="t2" value="zzz"/> <property name="driver" value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/> </java> <!---------------------------------------------------------------------------------------- The response content will be compressed if the size is greater the threshold limit and if the client supports the algorithm. There is a small performance penalty in the compression algorithm, so don't set the threshold too low (less than 4K) GZIP is the supported compression algorithm --> <contentEncoding type="GZIP" threshold="40960" /> <!----------------------------------------------------------------------------------------- The upload tag describes a virtual path for the physical target for any HTTP upload multipart mime and the HTTP PUT method. --> <upload allowPUT="true" putExitPgm="*LIBL/HANDLEPUT"> <map alias="upload" path="/upload"/> <!-- upload goes to the IFS root "upload" folder" --> <map alias="dangerus" path="."/> <!-- Never do this!! it uploads to the icebreak server root --> <map alias="superbad" path="/"/> <!-- Never never do this!! it allows the user to access the total IFS --> <map alias="*" path="/tmp"/> <!-- catch all - goes to /tmp --> </upload> <!---------------------------------------------------------------------------------------- Hives is virtual Paths and maps to the associated application library and library list. Good practice is to keep a special char in the hive name so it will be confused by at physical path in the IFS --> <hives> <map alias="-develop" path="/udv/icebreak/system" pgmSource="/udv/icebreak/system" lib="SVCUDV" /> <map alias="----xx" pluginProcedure="myUrlMapper" path="/www/development/icemnu" lib="ICEMNUDEV" /> <map alias="-demo" dftdoc="index.html" path="/www/demo" lib="DEMO" libl="DEMO QGPL SYSTEST NORTHWIND" /> </hives> <!----------------------------------------------------------------------------------------- Mime types maps the files suffix with the content type required in the HTTP protocol. Also any file suffix can trigger the activation of the application server - either as a program call, a service program procedure call or a java method call. Keep this list optimized with only used mime types in your application (don't bloat this list!!) Used but unlisted mime-types will occur as warnings in the joblog --> <mimeTypes> <map suffix="css" contentType="text/css" /> <map suffix="jar" contentType="application/java" /> <map suffix="js" contentType="application/x-javascript" /> <map suffix="png" contentType="image/png" /> <map suffix="gif" contentType="image/gif" /> <map suffix="jpg" contentType="image/jpeg" /> <map suffix="jpeg" contentType="image/jpeg" /> <map suffix="html" contentType="text/html" /> <map suffix="ico" contentType="image/x-icon" /> <map suffix="aspx" contentType="text/html" callType="PGM"/> <map suffix="asmx" contentType="text/html" callType="SRVPGM"/> <map suffix="pgm" contentType="text/html" callType="PGM"/> <map suffix="asp" contentType="text/html" callType="PGM"/> <map suffix="pdf" contentType="application/pdf" /> </mimeTypes> </configuration>Best regards,
Niels Liisberg