Modify HTTP Header parameters like USER_AGENT and referer
Options
Hi,
We are populating few parameters on page (by adding Javascript ) with User_agent and referer for web analytics purpose.But the security scan came back showing Cross-Site Scripting vulnerability as they could insert script in header which looks like
User-Agent: (script)alert(2699803)(/script)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64
Referer: ">
<script type='text/javascript'>
function setWAVars() {
s.eVar40='(script)alert(2699803)(/script);
}
We have a SiteMapController which populates those variables before page load with header params and so we tried stripping illegal characters from the referer & User_agent before request is sent.But the scan is still able to insert the script.From the behavior it looks like the HTTP header is not modified at all. How can we make sure that the request will not have any script tags?
Java code looks like
userAgent = contactUtils.removeScriptTag(userAgent)
injection.append( userAgent );
RequestContext.getPageScopeData().put( RuntimePage.PAGESCOPE_HEAD_INJECTION, injection );
We are populating few parameters on page (by adding Javascript ) with User_agent and referer for web analytics purpose.But the security scan came back showing Cross-Site Scripting vulnerability as they could insert script in header which looks like
User-Agent: (script)alert(2699803)(/script)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64
Referer: ">
<script type='text/javascript'>
function setWAVars() {
s.eVar40='(script)alert(2699803)(/script);
}
We have a SiteMapController which populates those variables before page load with header params and so we tried stripping illegal characters from the referer & User_agent before request is sent.But the scan is still able to insert the script.From the behavior it looks like the HTTP header is not modified at all. How can we make sure that the request will not have any script tags?
Java code looks like
userAgent = contactUtils.removeScriptTag(userAgent)
injection.append( userAgent );
RequestContext.getPageScopeData().put( RuntimePage.PAGESCOPE_HEAD_INJECTION, injection );
0
Comments
-
Replacing < with ( as it does not submit
Hi,
We are populating few parameters on page (by adding Javascript ) with User_agent and referer for web analytics purpose.But the security scan came back showing Cross-Site Scripting vulnerability as they could insert script in header which looks like
User-Agent: (script)alert(2699803)(/script)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64
Referer: ">
<script type='text/javascript'>
function setWAVars() {
s.eVar40='">}
We have a SiteMapController which populates those variables before page load with header params and so we tried stripping illegal characters from the referer & User_agent before request is sent.But the scan is still able to insert the script.From the behavior it looks like the HTTP header is not modified at all. How can we make sure that the request will not have any script tags?
Java code looks like
userAgent = contactUtils.removeScriptTag(userAgent)
injection.append( userAgent );
RequestContext.getPageScopeData().put( RuntimePage.PAGESCOPE_HEAD_INJECTION, injection );0
Categories
- All Categories
- 108 Developer Announcements
- 49 Articles
- 100 General Questions
- 122 IM Services
- 40 OpenText Hackathon
- 31 Developer Tools
- 20.6K Analytics
- 4.1K AppWorks
- 8.9K Extended ECM
- 897 Cloud Fax and Notifications
- 77 Digital Asset Management
- 9.3K Documentum
- 29 eDOCS
- 120 Exstream
- 39.8K TeamSite
- 1.7K Web Experience Management
TeamSite Developer Resources
If you are interested in gaining full access to the content, you can register for a My Support account here.
- Docker Automation
- LiveSite Content Services (LSCS) REST API
- Single Page Application (SPA) Modules
- TeamSite Add-ons
If you are interested in gaining full access to the content, you can register for a My Support account here.