After running vulnerability scan on web portal, we have a number of cross-site request forgery issues
There were a number of phishing attempts that seemed allow for "hazardous character injection" How to deal with that?
Concerning the Phishing
What happens is that when we process a command, we first validate parameters and then execute the request. If something goes wrong (invalid parameter or Java exception) we send an error in the response to the client and this error is displayed the client browser in a popup along with the details about the request (whatever parameter that was given) for easier debugging:
1. the response text of the message is properly encoded before it is displayed on the screen, and as a result, no HTML tag or script that had been injected can be executed by the browser.
2. The details part of the error (containing all request parameters and stack trace) is only available when the user logged is the Administrator. For other users, only the error message is displayed (which also contains the invalid value that has been sent, but again the text is properly encoded before being displayed).
Does Web Portal support the use of the TomCat CsrfFilter?
Concerning the CSRF issue, we added a new security filter that will check the referrer URL is in a list of allowed URLs. The list is configurable in the tomcat\conf\server.xml. It is configured to contain the tomcat default URLs.
Please ask for support for Web Portal patch dated after 9-14-2017