Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

Mozilla FireFox - how to add security certificate exception urls

If you visit a web site with a secure connection(https) and if the website's security certificate has some problem like the security certificate presented by the website was not issued by a trusted certificate authority  or  the security certificate has expired or is not yet valid, you will get an error page ( like below in IE ) with an option to continue to this website. When this non secure page is loading, in Internet Explorer, you will get an option to specify whether you need to download the page content files like JS, CSS, Images,... But you will not get such an option in FireFox/Chrome and could see only the text data in this new non secure page. If you are doing some local development with FireFox/Chrome and have such a situation, you might want to override this security restriction. FireFox provides some exception url list in secure certificates menu. Go to Options - Advanced - Encryption - View Certificates and click the exception list and...
Post a Comment
Read more

How can we use SOAP UI to test ATG search

The call from the ATG commerce instance ( Estore instance ) to the search engine is done using the SOAP protocol. Read more about this architecture @  http://tips4ufromsony.blogspot.com/2011/11/atg-search-architectural-flow-search.html . If you have a SOAP UI tool (get it from @  http://www.soapui.org/ ), you could test the request/response from the search engine. You could find the wsdl for this SOAP in the folder in which your ATG search engine is installed. Below screen shot has the deatils of the wsdl : To call the search engine you need to know the port in which the search engine is running. You could get it from the SearchEngineService component of the commerce instance @ /dyn/admin/nucleus/atg/search/routing/SearchEngineService/.  Once you have these details, you could call the search engine with a sample request and a query string to get the response.
Post a Comment
Read more

Quick Reference to JAVA Servlets

I am writing these quick reference blogs for those who wants to brushup the ideas of each topic. This one will lead you through the basic concepts of JAVA Servlets. How this quick reference guideline is different from the numerous other docs available ?  ,  please read on to get an idea : Servlet Lifecycle : The container will identify the servlet based on the URL Servlet class loading Servlet instantaition Call init method Create a servlet thread for the current request. Before calling service(), will create the request and response objects Call service method Service method will identify whether to call doGet or doPost and call it Call destroy method Different servlet objects : A sinlge servlet instance per JVM ( except for SingleTheadModel) A sinlge HttpSession per web application ( session activation and passivation) A sinlge ServletContext per JVM A sinlge ServletConfig per servlet A sinlge ServletRequest per servlet request Important Servlet rq...
Post a Comment
Read more

Search Facets - how to create a new search facets in ATG Search

A Facet is a search refinement element that corresponds to a property of a commerce item type. ATG supports the search result refinement using the Faceted Search concept. Read more about facted search @  http://en.wikipedia.org/wiki/Faceted_search . Facet can either be ranges or specific values. Each facet is stored in the RefinementRepository as a separate refineElement repository item. Facets are divided into Global and Local facets. Global facets apply to all the categories and local facets only to the category in which they are created. For example Price/Brand can be considered as the facets that are common for all skus and New Release/Coming Soon can be considered as the facets that are specific to Physical Media products like Vidoe/DVD/Blue-ray/Books. We can use the ATG BCC - Merchandising UI to create facets. The Faceting Property depends on the meta-properties defined in the \atg\commerce\search\product-catalog-output-config.xml ( the def...
4 comments
Read more

Google Chrome shortcut keys

If you are a Google Chromey guy, please find below the list of shortcut keys for some of the most used features  :-) Find more shortcut keys @  http://www.google.com/support/chrome/bin/static.py?page=guide.cs&guide=25799&topic=28650
4 comments
Read more