Admin Security

The admin application has two Exploit Protection services in place. XSRF Protection, which is set to true by default, and XSS Protection, which is set to false.

Managing Exploit Protection

The bean blExploitProtectionService can be set in WEB-INF/applicationContext-admin.xml. The bean has two properties which will define if the given types of exploit protection are enable and a third property which defines the path of the AntySamy police file.

 <bean id="blExploitProtectionService" class="">
     <property name="xsrfProtectionEnabled" value="true" />
     <property name="xssProtectionEnabled" value="false" />
     <property name="antiSamyPolicyFileLocation" value="the_location_of_your_file" />

Cross-site Request Forgery (CSRF or XSRF)

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Source:

To turn ON XSRF (Cross-site Request Forgery) protection:

  • Set xsrfProtectionEnabled to true
  • We recommend leaving XSRF protection ON as there is no real upside to having this turned off.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

To turn ON XSS (Cross-site scripting) protection:

  • Set xssProtectionEnabled to true
  • To find more information on the XSS protection used in the admin visit the AntiSamy Project
  • An example of protection provided would be preventing admin users from saving any HTML that contains <script> tags.
  • XSS protection could be useful if there are many admin users which have access to entering in HTML code into the admin. This can help prevent malicious code from being entered as well as cleaning up potentially bad HTM which could break a page.
  • Note: AntiSamy can be very finicky, and has been known to reject default HTML generated by Redactor.

Changing the AntiSamy Policy

One way to have better control of what passes and what gets rejected is to use your own policy.

To set your own AntiSamy Policy:

  • Create your own xml policy file.
  • Here's the AntiSamy policy file being used in Broadleaf that can be used as a starting point.
  • Set the antiSamyPolicyFileLocation to the_location_of_your_file