HCL Notes and Domino 9.0 Social Edition Forum

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Share ▼
Subscribe ▼

~Dan Bubgerogenynds

Aug 1, 2018, 3:50 PM

2 Posts

XSS Vulnerability

Category: Domino Server
Platform: Windows
Release: 9.0.1
Role: Administrator,Developer
Tags: XSS,HTTP
Replies: 1

Hi,

After scanning for Web vulnerability, we found that our Notes application was subject to be hacked by XSS attack. So we upgraded our Domino server to 9.0.1 FP10 and added

those Notes.ini parameters : HttpOnly=1
HTTPAdditionalRespHeader=X-Frame-Options:SAMEORIGIN

But even with this, the web base application can be fooled by this simple code in a formulary field : <script>alert('bonjour')</script>

Do i miss something ?

Guy.

~Anita Minasterings

Aug 1, 2018, 9:48 PM

90 Posts

That ini setting does not prevent execution of all JS code

That ini setting will only prevent the display of frames from other than the current web server.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Part of being a good secure developer is scrubbing your input for malicious tags, etc.
See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for some tips.

Howard

Share ▼
Subscribe ▼