Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

Google Chrome shortcut keys

If you are a Google Chromey guy, please find below the list of shortcut keys for some of the most used features  :-) Find more shortcut keys @  http://www.google.com/support/chrome/bin/static.py?page=guide.cs&guide=25799&topic=28650
4 comments
Read more

ATG Search - search engine tuning settings

In this blog, I am going to list the best tuning settings for ATG Search engine. The AESoapConfig.xml, AESoapWaspConfig.xml  and AEConfig.xml are the xmls referred below and you can find it @  <ATG_DIR>\<Searchx.x>\SearchEngine\<operating_system>\bin\ folder. (1)  Make sure that the AESoapConfig.xml's rwTimeout is less than or equal to routing's readTimeoutMs. You could find the routing's readTimeoutMs @ atg\search\routing\SearchEngineService component.               rwTimeout is the  length of time in seconds to wait before a read or write operation times out on an active connection. The number can be decreased to improve performance. However, a value that is too low could cause slow connections to be prematurely closed. (2)  Adjust the number of engine threads to match the number of CPUs available to the engine. Note that the minimal value for maxThreads and maxSpar...
Post a Comment
Read more

ATG - basic concepts of ATG

This blog is for the ATG beginners to get some basic overview about ATG. I just given the ATG concepts as a list of numbered points for the ease of understanding. 1. At the framework level, ATG is a               java based application platform for hosting web-based applications, as well as RMI accessible business components,               with an ORM layer,               a component container,               an MVC framework,               and a set of tag libraries for JSP. 2. Art Technology Group(ATG)'s Dynamo Application Server (DAS) is a Java EE compliant application server. DAS is no longer actively developed as ATG recommends using other Java EE applications servers for its products such as BEA WebLogic, JBoss or IBM WebSphere. 3. Prior to ATG 2007, JHTML was used instead of JSP for view purpose. J...
4 comments
Read more

ATG Search architectural flow : Search and Index

I would like to explain the high level ATG Search implementation architecture ( for an online store) through the above diagram. In this diagram 1.x denotes the search functionality and 2.x denotes the indexing functionality. I have given JBoss as the application server. Physical Boxes and Application Servers in the diagram ( as recommended by ATG )  : Estore ( Commerce ) Box --> The box with the estore/site ear (with the site JSPs and Java codes). Search Engine Box --> The box with the search engine application running. Indexing Engine Box --> The box with the indexing engine application running. CA (Content Administration) Box --> The box with the ATG CA ear ( where we could take CA -BCC - Search Administration and configure the search projects) . Search Indexer Box --> The box with the ATG Search Index ear ( to fetch the index data from repository). Note that the engine performing indexing will need access ...
7 comments
Read more

Basic design decisions for a commerce search setup ( with an ATG Search view)

In this blog I would like to explain the basic set of configuration/design decisions needed to setup an ATG search project. Most of these design decisions are common for all Enterprise search applications. 1. Decide the searchable properties :   This means the properties that the business want the user to search in the ecommerce platform. In ATG search these are configured as the text properties in the product-catalog-output-config.xml ( the definitionFile of the \atg\commerce\search\ProductCatalogOutputConfig). Usually the displayName of product/sku, displayName of department/category/sub-category, skuId, brandName are the properties configured as searchable. 2. Decide the search refinement properties or the faceted properties :   After a user search for a keyword, search refinement is the next step done to filter his results. ATG supports the search refinement using the Faceted Search concept. Read more about facted search @...
6 comments
Read more