Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

JBoss - know more about the JBoss directory structure

Fundamentally, the JBoss architecture consists of the JMX MBean server, the microkernel, and a set of pluggable component services - the MBeans. The JBoss Application Server ships with three different server configurations. Within the <JBoss_Home>/server directory, you will find three subdirectories: minimal, default and all. The default configuration is the one used if you don’t specify another one when starting up the server. If you want to know which services are configured in each of these instances, look at the jboss-service.xml file in the <JBoss_Home>/server/<instance-name>/conf/ directory and also the configuration files in the <JBoss_Home>/server/<instance-name>/deploy directory. JBoss 4.0 features an embedded Apache Tomcat 5.5 servlet container. conf --> The conf directory contains the jboss-service.xml bootstrap descriptor file for a given server configuration. This has the jboss-log4j.xml file which configures the Apach...
Post a Comment
Read more

How to simulate Browser back button

When someone asks how to simulate a back button, they really mean to ask how to create a link that points to the previously visited page. Most browsers tend to keep a list of which websites the user has visited and in what order they have done so. The DOM window object provides access to the browser's history through the history object. Moving backward and forward through the user's history is done using the   back(), forward(), and go() methods of the  history  object. To move backward through history, just do window.history.back() ; This will act exactly like the user clicked on the Back button in their browser toolbar. Find below a sample html code: <html> <head> <script type="text/javascript"> function goBack(){  window.history.back() } </script> </head> <body>    <input type="button" value="Back" onclick="goBack()" /> </body> </html>
Post a Comment
Read more

CamStudio - to capture your screen activity into video (Screen casting free software)

CamStudio is a tool (open source) for recording screen activity into standard AVI video files (screen casting software). It also have the audio record feature. It can also used to convert AVIs into Flash Video format. Read more about screencast @  http://en.wikipedia.org/wiki/Screencast . You can download CamStudio from:   http://sourceforge.net/projects/camstudio/    or   http://camstudio.org/  . I have uploaded a demo video, recorded using the Camstudio release 2.6. You could watch a high quality  video @ Youtube:  http://www.youtube.com/watch?v=7S-6aHFcuUM or you could find a video with low resolution below : CamStudio can be used to: Create movies used in user trainings Demonstrate features of a new software Track the progress of a program that executes for a long time Record the sequence of steps that cause the occurrence of bugs in a faulty software Record a movie stream  Convert AVI files to Flash (...
Post a Comment
Read more

ATG Search and how to generate XHTMLs from STG file

The ATG search  indexing will give you the idx and stg files. When I analyse the stg files with some text editors like Textpad or Ultraedit , found some <html> and </html> tags and the contents inside these tags seems to be the same content of the temporary XHTML files , which will be generated during the search indexing for each indexed item. So I deicded to take the contents in between the <html> and </html> tags and save as XHTML file and it works for almost all indexed items. As you might know, these XHTML file’s <head> tag contains all the meta properties ( refine properties ) and the <body> tag have the text properties ( searchable properties ) for each indexed item. Please note that the above steps are not an ATG recommended method to generate the XHTML files. I come across to this simple method to form the XHTML files and I am not 100% sure that this will give all the XHTML files of a search index . But I found this to be very useful f...
Post a Comment
Read more

Eclipse plugin: InstaSearch – for quick search

InstaSearch is an Eclipse plug-in for performing quick and advanced search of workspace files. This will index the files and when you search for some file contents, it will look with in this index and the search results will be faster, just like the Goolge instant search. It uses Lucene ( http://lucene.apache.org/ ) for indexing and fast searching of files in the workspace. Each search result file then can be previewed using few most matching and relevant lines. A double-click on the match leads to the matching line in the file. Main Features Instantly shows search results Shows a preview using relevant lines Periodically updates the index Matches partial words (e.g. case in CamelCase) Opens and highlights matches in files Searches JAR source attachments Supports filtering by extension/project/working set Download / Installation In Eclipse Helios (3.6) please install using the  Eclipse Marketplace from the Help menu http://marketplace.eclipse.org/s...
Post a Comment
Read more