We're running a Web Agent and we discovered that we can add the
following code in the Target value in order to get access to the
Then when we send the following URL :
and we get a popup reporting the value 1 :
. OK .
. 1 .
How can we fix this ?
At first glance, it seems that urlencoding and urldecoding the TARGET
value in the .fcc will prevent that vulnerability, according to this
community thread :
Protecting FCC against attacks using encoding/decoding
– this tip describes how to protect the FCC using existing
siteminder mechanisms that are part of the language that make the
FCCC files programmable
So $$target$$ becomes $$urlencode(target)$$, for example. Then, to
make sure that the variable is properly decoded after a post
(important for hidden variables!!), place @variable=%decode
function(variable)% at the top of the file in the list of FCC
directives. Following my example, you’d add
You may check also ACO parameter as CSSChecking and BadCSSChars which
might be even more restrictive.
Configure the Web Agent to Check For Cross-Site Scripting
To instruct the Web Agent to check a URL for characters that may be
part of an executable script, set the following agent configuration
parameter to Yes.
Enable this parameter to configure the Web Agent to scan a full URL,
including the query string, for escaped and unescaped versions of the
following default character set:
- left and right angle brackets (< >)
- single quote (')
Override the Default CSS Character Set
By default, the agent checks for the following default cross-site scripting character set:
Left and right angle brackets (< >)
Single quote (')
To override the default character set, use the BadCSSChars parameter.
Overrides the default cross-site scripting character set with the
characters of your choice. Include the entire string of characters
that you want. For example, include '\' to avoid Java script attacks.
Default: <,',> (A comma separates the characters.)
Example: <,>, \ (In this example, Agent scans only for the left and right angle brackets along with the backslash.)
Limits: Note the following guidelines:
The maximum number of characters is 4096, including commas, which
separate the characters.
Specify a range of characters by separating them with a hyphen. The
syntax is: starting_character - ending_character. For example, a-z is
a range of characters.
The BadCSSChars parameter does not interpret the double quotate marks
(") when it is entered as an ASCII character. To include the double
quote marks as a bad cross-site scripting character, enter the
hexidecimal equivalent of the ASCII character, which is %22. For
If the agent detects a problem related to the character set, it
returns an Access Denied message to the user, and the logs the
following message in the Agent error log: