I have done mitigations steps by follows this WSO2 Documentation to avoid Cross Site Scripting (XSS) attacks in WSO2 EI 6.4.0.
In below mentioned files i have made required changes as mentioned here
<PRODUCT_HOME>/repository/conf/carbon.xml<Hosts> element of the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.Post restarting server, I have noticed couple of things as mentioned below
Whenever I try to edit files in management console, got below ERROR in logs
[2022-10-18 07:38:59,904] [-1234] [] [http-nio-9443-exec-34] ERROR {org.wso2.carbon.tomcat.ext.valves.CompositeValve
} - Could not handle request: /carbon/sequences/save_sequence.jsp
javax.servlet.ServletException: Possible XSS Attack. Suspicious code : eval($)
at org.wso2.carbon.ui.valve.XSSValve.validateParameters(XSSValve.java:110)
at org.wso2.carbon.ui.valve.XSSValve.invoke(XSSValve.java:86)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.
java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
try it optionConcluding that whatever we want, we can do via CAR, this mitigation change is not allow us to edit config files via management console.
Is my understanding correct or Am I missing something to notice? I just need to know what was the product level impacts post this Mitigation.
Kindly clarify my doubt or share your thoughts on the same.
We need to skip the content validation of the artifact files. We can whitelist the resource paths used to modify artifacts such as API, Sequences etc. To do this you need to add the following patterns under the <Patterns> element of the <XSSPreventionConfig> element in carbon.xml config file.
<XSSPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon/sequences</Pattern>
<Pattern>carbon/configadmin</Pattern>
<Pattern>carbon/localentries</Pattern>
<Pattern>carbon/api</Pattern>
<Pattern>carbon/proxyservices</Pattern>
<Pattern>carbon/resources</Pattern>
<Pattern>carbon/task</Pattern>
</Patterns>
</XSSPreventionConfig>
Reference: http://ravindraranwala.blogspot.com/2015/10/preventing-xss-and-csrf-vulnerabilities.html