Product: TIBCO Spotfire®
How to protect TIBCO Spotfire Server against Cross-site scripting (XSS) or Cross Frame Scripting (XFS) security vulnerability.
Instructions to enable protection against Cross-site scripting (XSS) or Cross Frame Scripting (XFS) security vulnerability on TIBCO Spotfire Server
The TIBCO Spotfire Server can be configured to include an X-XSS-Protection HTTP header that provides basic protection against some XSS attacks by indicating to the browser clients how they should use their built-in XSS protection filter. This header is optional and is not included by default.
The following instructions can be used to configure protection against Cross-site scripting on TIBCO Spotfire Server:On Windows:
-------------------------------------------
1). Open command prompt and go to for 10.2 and lower "<TSS installation folder>\tomcat\bin" location and for 10.3 and higher <TSS installation folder>\tomcat\spotfire-bin"
2). Run following commands:
-- Export current active configuration into a file (configuration.xml) for modificationconfig.bat export-config --force
-- Enable X-Frame-Options to prevent the attack
config.bat set-config-prop --name="security.x-xss-protection.enabled" --value="true"
-- When this feature is enabled, the server will include the HTTP header "X-XSS-Protection: 1; mode=block" in all responses.
-- The "X-XSS-Protection" can have following values.
1 : Force XSS protection
0 : Disable XSS protection
1; mode=block : The token mode=block will prevent browser (IE8+ and Webkit browsers) to render pages (instead of sanitizing) if a potential XSS reflection (= non-persistent) attack is detected.
-- Use following command to change the value as per your requirement. For Example:
config.bat set-config-prop --name="security.x-xss-protection.directive" --value="1"
-- Import the modified configuration into Database.
config.bat import-config -c "enabled X-XSS-Protection"
3). Restart TIBCO Spotfire Server service.
-----------------------------------------------
On Unix/Linux:
-------------------------------------------
1). Login to SHELL and for 10.2 and lower go to "<TSS installation directory>/tomcat/bin" location, for 10.3 and higher "<TSS installation folder>\tomcat\spotfire-bin"
2). Run following commands:
-- Export current active configuration into a file (configuration.xml) for modificationconfig.sh export-config --force
-- Enable X-Frame-Options to prevent the attack
config.sh set-config-prop --name="security.x-xss-protection.enabled" --value="true"
-- When this feature is enabled, the server will include the HTTP header "X-XSS-Protection: 1; mode=block" in all responses.
-- The "X-XSS-Protection" can have following values.
1 : Force XSS protection
0 : Disable XSS protection
1; mode=block : The token mode=block will prevent browser (IE8+ and Webkit browsers) to render pages (instead of sanitizing) if a potential XSS reflection (= non-persistent) attack is detected.
-- Use following command to change the value as per your requirement. For Example:
config.sh set-config-prop --name="security.x-xss-protection.directive" --value="1"
-- Import the modified configuration into Database.
config.sh import-config -c "enabled X-XSS-Protection"
3). Restart TIBCO Spotfire Server process.
------------------------------------------------
https://en.wikipedia.org/wiki/Cross-site_scripting
https://owasp.org/www-community/attacks/Cross_Frame_Scripting
https://owasp.org/www-community/attacks/xss/
Comments
0 comments
Article is closed for comments.