Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.

Comments

  1. http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

Tax Credit Statement ( Form 26AS )

Read more about Tax filing @  http://tips4ufromsony.blogspot.com/2011/07/income-tax-process-and-e-filing.html  . Form 26AS is a consolidated tax statement issued under Rule 31 AB of Income Tax Rules to PAN holders. This statement, with respect to a financial year, will include details of: Tax deducted at source (TDS). Tax collected at source (TCS). Advance tax/self assessment tax/regular assessment tax etc., deposited in the bank by the taxpayers (PAN holders). Paid refund received during the financial year. Form 26AS will be prepared only with respect to Financial Year 05-06 onwards. To view the Form26AS , log-in to https://incometaxindiaefiling.gov.in and click on ‘View Tax Credit Statement (From 26AS)’  in ‘My Account’. Read more about Form 26AS  @ http://www.incometaxindia.gov.in/26ASTaxCreditStatement.asp http://www.tin-nsdl.com/form26as.asp

Google Chrome shortcut keys

If you are a Google Chromey guy, please find below the list of shortcut keys for some of the most used features  :-) Find more shortcut keys @  http://www.google.com/support/chrome/bin/static.py?page=guide.cs&guide=25799&topic=28650

Eclipse plug-in to create Class and Sequence diagrams

ModelGoon is an Eclipse plug-in avaiable for UML diagram generation from Java code. It can be used to generate Package Dependencies Diagram, Class Diagram, Interaction Diagram and Sequence Diagram. You coud get it from http://marketplace.eclipse.org/content/modelgoon-uml4java Read more about it and see some vedios about how to create the class and sequence diagram @ http://www.modelgoon.org/?tag=eclipse-plugin Find some snapshots below which gives an idea about the diagram generation.

Eclipse plugin: InstaSearch – for quick search

InstaSearch is an Eclipse plug-in for performing quick and advanced search of workspace files. This will index the files and when you search for some file contents, it will look with in this index and the search results will be faster, just like the Goolge instant search. It uses Lucene ( http://lucene.apache.org/ ) for indexing and fast searching of files in the workspace. Each search result file then can be previewed using few most matching and relevant lines. A double-click on the match leads to the matching line in the file. Main Features Instantly shows search results Shows a preview using relevant lines Periodically updates the index Matches partial words (e.g. case in CamelCase) Opens and highlights matches in files Searches JAR source attachments Supports filtering by extension/project/working set Download / Installation In Eclipse Helios (3.6) please install using the  Eclipse Marketplace from the Help menu http://marketplace.eclipse.org/s...

GC Log Analyzer from IBM

This blog is about the GC( garbage collection) log analyzer from IBM. If you have a GC log and you want to analyze the file,  this IBM tool will help you with some graphical analyzer and some recommendations. You can download it from the following URL : https://www.ibm.com/support/pages/ibm-pattern-modeling-and-analysis-tool-java-garbage-collector-pmat Please find below some screenshots and details that might help you. 1. Screenshot 1: 2. Screenshot 2 : 3. Screenshot 3 : 4. Screenshot 4: