Content security policy
In order to enforce the security against potential Cross Site-Scripting (XSS) attacks, new rules regarding unknown or restricted content used in the application have been introduced.
XSS protection impacts
The restrictions applied to the use of string inputs in the beqom application impact the elements described below.
WCF methods
All the Windows Communication Foundation (WCF) services endpoints are restricted by the XSS protection.
REST services
All the REST endpoints where string content is used are restricted with the new sanitization rules:
- Object Service
- Data Service
- Comp Planner Service
- Hub Service
- Environment Manager Service
- File Service
The two following services are excluded:
- Gateway Service (since WCF Services are already restricting the inputs)
- Analytics Service
Localization process
The localization script generation feature has been removed from the beqom Admin Portal to prevent any security bypass.
Admin Portal and database
If any restricted patterns already exist in the application database, it is the consultant's responsibility to analyze and modify the reference database entries accordingly.
beqom Cookies
The HttpOnly attribute is set to all the cookies used by beqom in order to prevent Web browsers to display the cookies through client-side scripts.
This modification has an impact on the csrftoken cookie which is now stored into an HTML meta tag. The Web tests performed using the Microsoft Visual Studio or API methods which are using an Admin Portal client project are impacted. A new meta tag created in app.aspx and called "csrftoken" is stored in a cookie called "cookie token". This token needs to be parsed from the app.aspx page response and sent in all requests inside the request header as “x-csrftoken”.
Possible Error Scenarios
The following table lists the errors which can be encountered when an incorrect element is detected:
| Application | HTTP Code | Error | Reason |
|---|---|---|---|
| Admin Portal | 400 | INF_Error_BadRequest | Restricted pattern found in the request input |
| Admin Portal | 400 | INT_Error_Invalid_Response | Restricted pattern found in the response in Admin Portal (e.g. missing closing tag) |
Understanding the Data Sanitization Concept
The HTML Sanitizer library is used in the application in order to sanitize the content of the request parameters before their execution. If the application detects any unauthorized string content in inputs, the mechanism will block the requests.
Refer to the following table to better understand the new restriction rules:
| String Value | API Response | Impact |
|---|---|---|
| <script>... </script> | Not allowed | Sanitized and blocked if an unauthorized tag is detected |
| <button formaction="..."> </button> | Not allowed | Sanitized and blocked if an unauthorized attribute is detected |
| <randomtag> | Not allowed | Sanitized and blocked if a tag is not closed |
| <img src="..."/> | Allowed | No impact, this statement is safe to use |
| 5 > 4 | Allowed | No impact, "greater than" is safe to use |
| <img> ... | Allowed | No impact, but if the tag is not closed it will break the HTML logic but not the application |
| <> | Allowed | No impact, "<>" is safe to use |
| <0> | Allowed | No impact, "<NUMBER>" is safe to use |
Using the Allowed HTML Elements
This section details the list of tags, attributes, CSS properties and CSS at-rules allowed by default in the application.
Tags
HTML tags are the keywords within a web page defining how the Web browser must format and display the content. For example, <button> is the opening tag and </button> is the closing tag.
This is the list of tags allowed by default:
a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr
Attributes
HTML attributes allow to customize tags. Form example, in <p align="center"> ... </p>, align="center" is the attribute which centers the content inside the paragraph tag.
This is the list of attributes allowed by default:
abbr, accept, accept-charset, accesskey, action, align, alt, autocomplete, autosave, axis, bgcolor, border, cellpadding, cellspacing, challenge, char, charoff, charset, checked, cite, clear, color, cols, colspan, compact, contenteditable, coords, datetime, dir, disabled, draggable, dropzone, enctype, for, frame, headers, height, high, href, hreflang, hspace, ismap, keytype, label, lang, list, longdesc, low, max, maxlength, media, method, min, multiple, name, nohref, noshade, novalidate, nowrap, open, optimum, pattern, placeholder, prompt, pubdate, radiogroup, readonly, rel, required, rev, reversed, rows, rowspan, rules, scope, selected, shape, size, span, spellcheck, src, start, step, style, summary, tabindex, target, title, type, usemap, valign, value, vspace, width, wrap
This is an note/information message.
To prevent "classjacking" and interference with classes where the sanitized fragment is to be integrated, the class attribute is disallowed by default.
CSS Properties
The CSS properties define the style of HTML elements. For example, in <href font-size="18px">, font-size="18px" is the CSS property which defines the font size of the URL.
This is the list of CSS properties allowed by default:
background, background-attachment, background-clip, background-color, background-image, background-origin, background-position, background-repeat, background-size, border, border-bottom, border-bottom-color, border-bottom-left-radius, border-bottom-right-radius, border-bottom-style, border-bottom-width, border-collapse, border-color, border-image, border-image-outset, border-image-repeat, border-image-slice, border-image-source, border-image-width, border-left, border-left-color, border-left-style, border-left-width, border-radius, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-left-radius, border-top-right-radius, border-top-style, border-top-width, border-width, bottom, caption-side, clear, clip, color, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, float, font, font-family, font-feature-settings, font-kerning, font-language-override, font-size, font-size-adjust, font-stretch, font-style, font-synthesis, font-variant, font-variant-alternates, font-variant-caps, font-variant-east-asian, font-variant-ligatures, font-variant-numeric, font-variant-position, font-weight, height, left, letter-spacing, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, max-height, max-width, min-height, min-width, opacity, orphans, outline, outline-color, outline-offset, outline-style, outline-width, overflow, overflow-wrap, overflow-x, overflow-y, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, quotes, right, table-layout, text-align, text-decoration, text-decoration-color, text-decoration-line, text-decoration-skip, text-decoration-style, text-indent, text-transform, top, unicode-bidi, vertical-align, visibility, white-space, widows, width, word-spacing, z-index
CSS At-rules
CSS at-rules essentially explain how CSS properties to behave.
This is the list of CSS at-rules allowed y default:
namespace, style
Style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors. Property declarations in @font-face and @viewport are not sanitized.
This is an note/information message.
The style tag is disallowed by default.