For Siteminder Administrators an often overlooked functionality is the built in Cross Site Scripting and SQL Injection protection. Out of the box these settings are not enabled, but can be enabled at the Agent Configuration Object used by your web servers. At a high level this functionality inspects the URL being sent to the Web Agent and takes action before the request reaches the web server based on black listed characters. Keep in mind though, some commonly blocked characters are necessary for certain web applications to function (Outlook Web Access for example).
Cross Site Scripting Protection
- Set “CSSChecking” parameter to “yes”
- By default this prevents <, >, and ‘ characters.
- You can override the default characters by setting the “BadCSSChars” parameter.
SQL Injection Protection
- Uncomment the “BadURLChars” to enable.
- BadURLChars blocks certain characters that occur before the “?”.
- Default values areĀ //,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25
- Uncomment the “BadQueryChars” parameter to enable the same protection “?”.
Further Reading