The admin application has two Exploit Protection services in place. XSRF Protection, which is set to
true by default, and XSS Protection, which is set to
blExploitProtectionService can be set in
WEB-INF/applicationContext-admin.xml. The bean has two properties which will define if the given types of exploit protection are enable and a third property which defines the path of the AntySamy police file.
<bean id="blExploitProtectionService" class="org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl"> <property name="xsrfProtectionEnabled" value="true" /> <property name="xssProtectionEnabled" value="false" /> <property name="antiSamyPolicyFileLocation" value="the_location_of_your_file" /> </bean>
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Source: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
To turn ON XSRF (Cross-site Request Forgery) protection:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. https://www.owasp.org/index.php/XSS
To turn ON XSS (Cross-site scripting) protection:
One way to have better control of what passes and what gets rejected is to use your own policy.
To set your own AntiSamy Policy: