Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

JBoss - know more about the JBoss directory structure

Fundamentally, the JBoss architecture consists of the JMX MBean server, the microkernel, and a set of pluggable component services - the MBeans. The JBoss Application Server ships with three different server configurations. Within the <JBoss_Home>/server directory, you will find three subdirectories: minimal, default and all. The default configuration is the one used if you don’t specify another one when starting up the server. If you want to know which services are configured in each of these instances, look at the jboss-service.xml file in the <JBoss_Home>/server/<instance-name>/conf/ directory and also the configuration files in the <JBoss_Home>/server/<instance-name>/deploy directory. JBoss 4.0 features an embedded Apache Tomcat 5.5 servlet container. conf --> The conf directory contains the jboss-service.xml bootstrap descriptor file for a given server configuration. This has the jboss-log4j.xml file which configures the Apach...
Post a Comment
Read more

How can we use SOAP UI to test ATG search

The call from the ATG commerce instance ( Estore instance ) to the search engine is done using the SOAP protocol. Read more about this architecture @  http://tips4ufromsony.blogspot.com/2011/11/atg-search-architectural-flow-search.html . If you have a SOAP UI tool (get it from @  http://www.soapui.org/ ), you could test the request/response from the search engine. You could find the wsdl for this SOAP in the folder in which your ATG search engine is installed. Below screen shot has the deatils of the wsdl : To call the search engine you need to know the port in which the search engine is running. You could get it from the SearchEngineService component of the commerce instance @ /dyn/admin/nucleus/atg/search/routing/SearchEngineService/.  Once you have these details, you could call the search engine with a sample request and a query string to get the response.
Post a Comment
Read more

ATG CA - BCC home screen : how to add a new link

          Activity source is the property which controls the links on the left nav on the BCC home screen. All activity sources are registered with the ActivityManager component at /atg/bizui/activity/ActivityManager . When rendering the BCC home page, the ActivityManager cycles through all the registered ActivitySource components and displays left navigation links for each of them on the BCC home page. For example if I want to add a new link "My New Link" , below screen shots exaplins how this can be done 1. Add  activityManager.properties to specify the activityresources. In this  activityManager, I specified one MyActivitySource. 2. Add  MyActivitySource.properties  to specify the name of the link and the other details . Here it refers to a bundle properties file.  3. Add  the bundle properties file  to specify the name of the link.  4. Now you could see the new link...
6 comments
Read more

Eclipse plug-in to create Class and Sequence diagrams

ModelGoon is an Eclipse plug-in avaiable for UML diagram generation from Java code. It can be used to generate Package Dependencies Diagram, Class Diagram, Interaction Diagram and Sequence Diagram. You coud get it from http://marketplace.eclipse.org/content/modelgoon-uml4java Read more about it and see some vedios about how to create the class and sequence diagram @ http://www.modelgoon.org/?tag=eclipse-plugin Find some snapshots below which gives an idea about the diagram generation.
8 comments
Read more

ATG CA - different activity sources used @ BCC

Read about how a new link can be added in BCC home page @  http://tips4ufromsony.blogspot.com/2012/03/atg-ca-bcc-home-screen-how-to-add-new.html Normally an ActivitySource.properties file define the set of actions that it supports under a genericActivityDefinitionFile. But some ActivitySource.properties  define the actions  using the workflowActivityDefinitionFiles. For example consider the default "Content Administration" ,  "SearchAdministration",  " Merchanding "  and "Personalization" options in BCC homepage. Below I listed the ActivitySource.properties and other properties for these links. To get all these activitysource names, just take the / atg/bizui/activity/ActivityManager  component @ dyn/admin. Content Administration ActivitySource  --> /atg/bizui/activity/PublishingActivitySource genericActivityDefinitionFile Search Administration ActivitySource  --> /atg/bizui/...
1 comment
Read more