Protecting Against Cross-site Scripting

System administrators and integrators often use scripting to automate tasks between applications. CCF allows such automation, but you should take steps to secure and protect your content from the introduction of malicious scripts from the outside.

In the adapter for Web applications, actions are fired by the ccf:\\ moniker. The action passes information to the adapter in a query string which, in turn, passes it to the Web server through HTTP-GET or HTTP-POST.

Actions are created in the Admin Console. You set up an action with a query string for the Web application. After that, you create a Web adapter for the Web application if one does not already exist. In the Admin Console, you add the adapter to the Web application. For more information, see the section ”Action Table” in this document.

The Web adapter must extend the abstract WebApplicationAdapter class (Microsoft.Ccf.Csr namespace, Microsoft.Ccf.Csr.Core.dll). This means that the Web adapter inherits two properties that are important in preventing cross-site scripting attacks. These properties are EmptyQueryStringData and EncodeQueryString.

For backward compatibility, the EmptyQueryStringData property—which appears in the URL as “_ccfData”—is always attached to the URL. The default value is false, but the value can be suppressed by setting the EmptyQueryStringData property to true in the Web adapter, as the following example illustrates.


                  public WebAppAdapter() 
{
// Wish to suppress _ccfData
EmptyQueryStringData = true;
}

                

To protect against cross-site scripting attacks, CCF allows you to encode data in URLs. You can do this by setting the EmptyQueryStringData property to true in the Web adapter’s constructor, as shown in the following example.


                  public WebAppAdapter() 
{
// Do not need to actually set EmptyQueryStringData to false
// since it is false by default
EmptyQueryStringData = false;
// Encode the data
EncodeQueryStringData = true;
}

                

To add data to a URL, use the Web adapter’s DoAction(Microsoft.Ccf.CsrHostedWebApplication.WebAction action, ref string data) function.

For example, a Web application uses the following URL: http://someURL.com/MyWebApp?x=1&y=2

Agents may need to add data about the customer. Therefore, you add the following to the Web adapter.


                  public override bool DoAction(Microsoft.Ccf.CsrHostedWebApplication.WebAction action, ref string data) 
{
data = “<ApplicationData>customer=3</ApplicationData>”;
return base.DoAction(action, ref data);
}

                

The resulting URL is: http://someURL.com/MyWebApp?x=1&y=2&?_ccfData=<ApplicationData>customer=3</ApplicationData>

This section describes the security assumptions related to CSR features and ways to avoid potential security issues when you use the CSR features of CCF 2009.

CCF assumes that the Admin Console application will use the Microsoft Management Console executable, Mmc.exe, and that Mmc.exe does not incur security risks.


Show: