Fujitsu V6.0 Common Notes for Interstage, About Netscape, About the Cross-Site Scripting Problem

Page 54

Chapter 3: Notes on Interstage Operation

Common Notes for Interstage

About Netscape 6

Do not install Netscape 6 on the same system.

About the Cross-Site Scripting Problem

What is the Cross-Site Scripting Problem?

The Cross-Site Scripting problem is a security problem that occurs when the client Web Browser sends input data based on a dynamically generated Web page back to the server. Static HTML pages and dynamically generated Web pages not using the data input, are not affected by this problem.

This is explained in the following example:

1)The following script is an example of a script that is executed when cross scripting occurs. This script is placed at the end of the input data form script, just before "Submit".

"<SCRIPT Language=JavaScript>alert("Hello");</SCRIPT>"

2)After the input data was sent, the dialog box with “Hello” will be displayed.

The data input was processed but so was the script. However, if the user sends the input data directly to the reliable site there is no problem even if there are errors on the page. But when the user sends input data through an unreliable site, and the unreliable site sends this as input data to the reliable site then the script that is executed causes the Cross-Site Scripting problem.

Analysis of the Problem

When developing applications like CGI and Servlet that generate dynamic pages to be displayed by the Web browser and that generate Web pages without investigating the input data, this problem needs to be fixed.

Examples:

Retrieved result pages

Those checking there is no errors in the input

Those that register the input data in databases and display the input data through key words.

Investigation Method

Review the application programs one by one from the point of retrieving input data to that of generating the Web pages. This can be done manually, by visual inspection of the source code, or, when reviewing the source program is not practical, by running tests such as the one described above.

3-2

Page 53 Page 55
Image 54
Page 53 Page 55
Contents Interstage Application Server V6.0 Product NotesTrademarks UnixPurpose of this Document Who Should Read this Document?Organization of this Document Functions that are not Supported by the Linux VersionTable of Contents Product Notes Table of Contents Page Index Chapter Supported Software Software Products Required for Application Development J2EE Exclude SecurityFunction Name Product Name Version Security Security Products Required for Application DevelopmentOperation / Administration Framework Other FunctionsFramework Products Required for Application Development Function Name Product Name Version Software Products Required for Application Execution Security Products Required for Application Execution Page Portal Component Framework Products Required for Application ExecutionOther Functions J2EE Exclude Security Security Interstage Apworks Chapter Restrictions Restrictions on Interstage Http Server Restrictions on Interstage Http ServerRestriction Remarks Date Removal Restrictions on InfoProvider Pro Restrictions on InfoProvider ProRestrictions on the J2EE Service Restrictions on the J2EE ServiceRestrictions on the Servlet Service Restrictions on the Servlet ServiceRestrictions on the EJB Service Restrictions on the EJB ServiceRestrictions on the EJB Service Restriction Remarks Date Removal Restriction Remarks Date Removal Page Restrictions on the Soap Service Restrictions on the Soap ServiceRestrictions Restrictions on IDL Definitions Restrictions on the Corba ServiceRestrictions on IDL Definitions Restriction Alternative Method Date RemovalRestriction Alternative Method Date Removal Example Restriction Alternative Method Date Removal Restrictions on IDL Compilation Restrictions on IDL CompilationRestrictions on C and C++ Programming Restriction Alternative Date Method RemovalRestrictions on Java Programming Restrictions on the Naming Service11 Restrictions on the Naming Service 10 Restrictions on Java ProgrammingRestrictions on the Corba Service 12 Restrictions on the Corba ServiceRestrictions on the Event Service 13 Restrictions on the Event ServiceRestrictions on the Component Transaction Service 14 Restrictions on the Component Transaction ServiceRestrictions on the Database Linkage Service Restrictions on the Locale of Languages15 Restrictions on the Locale of Languages Restrictions on InfoDirectory Restrictions on the InfoDirectory Administration Tool16 Restrictions on the InfoDirectory Administration Tool Restrictions on the JndiRestrictions on JDK/JRE 18 Restrictions on JDK/JRERestrictions on Scripts in Contents Restrictions on the Portal ComponentRestrictions on the Alternative Logon Function 20 Restrictions on the Alternative Logon FunctionRestrictions on the Load Distribution Environment Restrictions on Using Netscape 4.6/4.722 Restrictions on Using Netscape 4.6/4.7 21 Restrictions on the Load Distribution Environment23 Restrictions on Using Web USP Access from PC to Secure Site HttpsRestrictions on Using the Brick Automatic Update Function 24 Access from PC to Secure Site HttpsRestrictions on Other Functions 26 Restrictions on Other FunctionsRestrictions Chapter About the Cross-Site Scripting Problem Common Notes for InterstageAbout Netscape Using the Jsse Function CountermeasuresSecurity Information J2EE common resources Monitor Screen ColorsApplicable Functions InfoDirectorySetting Port Numbers Used for Individual Services Services/Functions for Which Port Numbers are SetService Name Port Number Setting Location Function Name Service Name Port Number Setting Location Function Name Service Name Port Number Setting Location Function Name Service Name Port Number Setting Location Function Name Version Level of Each Service Performing the Operation Dealing with Abnormal Command Termination Starting and Stopping ServicesPage Authority to Use the Interstage Http Server When operating the J2EE application client J2EE Application OperationJava VM heap area size calculation Use of the J2EE Management Tool or J2EE Deployment Tool Session Management Cookie of Servlet Service Servlet Service Execution EnvironmentExecution Environment of Earlier Version Servlet Service V6.0 Servlet ServiceVersion of Java Development Kit/Java Runtime Environment Page When Operating with WorkUnits When Interstage Jdbc Driver is Used Stored Procedure API when datetime Type is UsedUnsupported API Page Starting EJB Applications About the EJB Application ProcessWhen Encryption Communication by SSL is Used When Session Recovery Function of Servlet Service is UsedWhen J2EE Management Tool or J2EE Deployment Tool is Used Setting Up the Environment UninstallingStopping Page Page Page Host Name Port NumberAbout Corba Service Termination using the isstop Command Monitoring during Interstage OperationUsing Oracle8 Installation of Oracle8i8.1.6Use of Oracle Database by Java Server Application Sample Provided with Database Linkage Service Corba Server Application is Operated using Multi ThreadMaximum Number of Resources for One Transaction Error Messages in the Event Log Page Page Start Programs Accessories Command prompt Start Programs Command prompt Share folder name DirectoryProcessing when Network Error503 Occurs Processing when No response from service OccursModification Method Modification Method Setting the Heap Size in the Java Execution Environment Security on the Internet Redistributable FilesIndex Jndi Page USP
Top Page Image Contents