How to avoid xss attack in wso2 api manager 3.2.0 carbon?

wso2-am

How to solve xss attack (injecting "Alert") problem in wso2 api manager 3.2.0 carbon?

Request script as follows:

GET /carbon/generic/list.jsp?region=region3&item=governance_list_api_menu&key=api&breadcrumb=APIs%26%2339%3b)%3balert(76174)%3b%2f%2f&singularLabel=API&pluralLabel=APIs HTTP/1.1
Host: xxx.xx.xx.xx:9443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: region1_identity_menu=visible; menuPanel=visible; menuPanelType=main; JSESSIONID=55DB064DEF96C3060444A39F6A8412ED; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region3_registry_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=metadata_menu%252Clist_sub_menu%252Cgovernance_list_api_menu%2523
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache

enter image description here

enter image description here


In wso2 APIM 3.0.0 the solution is released but not implemented in updated versions of wso2 (3.1.0,3.2.0) .this process is based on XSSValve.java : (https://svn.apache.org/repos/asf/stratos/site/trunk/content/apidocs/4.1.5/org/wso2/carbon/ui/valve/XSSValve.html#XSSValve() ) ( https://github.com/kasunbg/carbon-kernel-4.x/blob/master/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/valve/XSSValve.java ) And also the configuration model has been changed refer to : ( https://apim.docs.wso2.com/en/3.2.0/reference/understanding-the-new-configuration-model/) So I fallowed steps below : 1.vi APIM-HOME/repository/resources/conf/templates/repository/conf/carbon.xml.j2

            <XSSPreventionConfig>
               <XSSPatternsLocation>${carbon.home}/repository/conf/security/xss-               
                patterns.properties</XSSPatternsLocation>
                <Enabled>true</Enabled>
                 <Rule>allow</Rule>
                       <Patterns>
                    <!--Pattern>carbon/sequences</Pattern>
                    <Pattern>carbon/configadmin</Pattern>
                    <Pattern>carbon/localentries</Pattern>
                    <Pattern>carbon/api</Pattern>
                    <Pattern>carbon/proxyservices</Pattern>
                    <Pattern>carbon/resources</Pattern>
                    <Pattern>carbon/task</Pattern-->
       <Pattern>carbon/resources/update_text_content_ajaxprocessor.jsp</Pattern>
                     
        <Pattern>carbon/resources/add_text_resource_ajaxprocessor.jsp</Pattern>
                    <Pattern>commonauth</Pattern>
          </Patterns>
    </XSSPreventionConfig>

2.vi APIM-HOME/repository/resources/conf/templates/repository/conf/tomcat/catalina-server.xml.j2

Add fallowing line to host section <Valve className="org.wso2.carbon.ui.valve.XSSValve"/>

Related

Windows - Software restriction policy to block exe files in all subdirectories
How to prevent Server rebooting upon log off when a restart is pending?
System information disabled due to load higher than 1.0 amazon ec2
Environment variables are unavailable when running scripts over ssh
What is nonpaged pool?
One second delay before tcpdump returns packets
Having problems setting up SSL with Nginx
Is it possible to extend a 504 timeout in nginx on a per location basis
Jetty JMX setup for remote access
FreeTDS: Do I need to restart anything after changing the freetds.conf file?
Haproxy using 10GB Memory and 100% CPU with 50k connections
Monitoring cpu and memory usage of Docker containers on Centos 7