Modify HTTP Header parameters like USER_AGENT and referer
Options
Hi,
We are populating few parameters on page (by adding Javascript ) with User_agent and referer for web analytics purpose.But the security scan came back showing Cross-Site Scripting vulnerability as they could insert script in header which looks like
User-Agent: (script)alert(2699803)(/script)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64
Referer: ">
<script type='text/javascript'>
function setWAVars() {
s.eVar40='(script)alert(2699803)(/script);
}
We have a SiteMapController which populates those variables before page load with header params and so we tried stripping illegal characters from the referer & User_agent before request is sent.But the scan is still able to insert the script.From the behavior it looks like the HTTP header is not modified at all. How can we make sure that the request will not have any script tags?
Java code looks like
userAgent = contactUtils.removeScriptTag(userAgent)
injection.append( userAgent );
RequestContext.getPageScopeData().put( RuntimePage.PAGESCOPE_HEAD_INJECTION, injection );
We are populating few parameters on page (by adding Javascript ) with User_agent and referer for web analytics purpose.But the security scan came back showing Cross-Site Scripting vulnerability as they could insert script in header which looks like
User-Agent: (script)alert(2699803)(/script)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64
Referer: ">
<script type='text/javascript'>
function setWAVars() {
s.eVar40='(script)alert(2699803)(/script);
}
We have a SiteMapController which populates those variables before page load with header params and so we tried stripping illegal characters from the referer & User_agent before request is sent.But the scan is still able to insert the script.From the behavior it looks like the HTTP header is not modified at all. How can we make sure that the request will not have any script tags?
Java code looks like
userAgent = contactUtils.removeScriptTag(userAgent)
injection.append( userAgent );
RequestContext.getPageScopeData().put( RuntimePage.PAGESCOPE_HEAD_INJECTION, injection );
0
Comments
-
Replacing < with ( as it does not submit
Hi,
We are populating few parameters on page (by adding Javascript ) with User_agent and referer for web analytics purpose.But the security scan came back showing Cross-Site Scripting vulnerability as they could insert script in header which looks like
User-Agent: (script)alert(2699803)(/script)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64
Referer: ">
<script type='text/javascript'>
function setWAVars() {
s.eVar40='">}
We have a SiteMapController which populates those variables before page load with header params and so we tried stripping illegal characters from the referer & User_agent before request is sent.But the scan is still able to insert the script.From the behavior it looks like the HTTP header is not modified at all. How can we make sure that the request will not have any script tags?
Java code looks like
userAgent = contactUtils.removeScriptTag(userAgent)
injection.append( userAgent );
RequestContext.getPageScopeData().put( RuntimePage.PAGESCOPE_HEAD_INJECTION, injection );0
Categories
- All Categories
- 111 Developer Announcements
- 49 Articles
- 103 General Questions
- 123 IM Services
- 40 OpenText Hackathon
- 31 Developer Tools
- 20.6K Analytics
- 4.1K AppWorks
- 8.9K Extended ECM
- 897 Cloud Fax and Notifications
- 77 Digital Asset Management
- 9.3K Documentum
- 29 eDOCS
- 123 Exstream
- 39.8K TeamSite
- 1.7K Web Experience Management
- 1 XM Fax
TeamSite Developer Resources
If you are interested in gaining full access to the content, you can register for a My Support account here.
- Docker Automation
- LiveSite Content Services (LSCS) REST API
- Single Page Application (SPA) Modules
- TeamSite Add-ons
If you are interested in gaining full access to the content, you can register for a My Support account here.