Question & Answer
Question
How to enable/disable Cross Site Scripting (XSS) filtering in Cognos Analytics (or Cognos BI) ?
Answer
Cognos BI and Cognos Analytics employ the Cognos Application Firewall (CAF) component to - among other things - perform validation and sanitation of user input for parameters.
CAF detects potentially malicious input and rejects it thereby protecting - among other things - against Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF) issues.
CAF detects potentially malicious input and rejects it thereby protecting - among other things - against Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF) issues.
Tip: When running dynamic scans against the Cognos product you will get many FALSE-POSITIVES if CAF is disabled - it is considered best practice to ensure it is enabled when scanning !
The CAF is controlled through Cognos Configuration at Security -> Cognos Application Firewall
The setting "CAF validation enabled" switches CAF (incl all sub-features) on or off.
It is enabled (set to True) by default and should only be disabled with careful consideration of requirements and overall context of system security. Disabling CAF can incur security risks !
There are scenarios in which one would want to integrate with external upstream security systems which perform their own XSS filtering based on rules potentially differing the ones CAF employs and what's more important at a different network stack level. In those cases, potentially malicious input, which would only be intercepted by CAF upon processing a client provided input, would pass through those external filters and potentially lead to requests being dropped, intercepted or stopped hard thus impairing product functionality.
To support these scenarios, CAF has a sub-feature which allows for integration with external XSS filters by avoiding certain characters and replace those with "encoded" representations instead.
At the same time this specifically DISABLES the XSS filtering performed by CAF without disabling CAF altogether though.
The setting"Is Third Party XSS checking enabled ?" controls this behavior.
- When set to "FALSE" (the default) Cognos CAF performs XSS checking and filtering and detected attacks will lead to CAF errors. All characters and sequences allowed by RFC standards for parameters and URLs will be used by the product.
- When set to "TRUE" the Cognos CAF filtering for XSS vectors is DISABLED and several characters and character sequences potentially considered dangerous by external XSS filters get replaced by encoded representations
Note: For this sub-feature to work, CAF must be enabled ("Enable CAF validation" must be set to "True")
To enable CAF provided XSS checking (Best Practice)
1. Start Cognos Configuration.
2. From the Security menu, click Cognos Application Firewall.
3. Set Enable CAF validation option to True.
4. Set the Is third party XSS checking enabled? option to False.
5. Save the configuration and restart services
To disable CAF provided XSS checking to allow integration with external, third party security systems
1. Start Cognos Configuration.
2. From the Security menu, click Cognos Application Firewall.
3. Set Enable CAF validation option to True.
4. Set the Is third party XSS checking enabled? option to True.
5. Save the configuration and restart services
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"Administration and Configuration v11.x","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.2.x;11.0.x;11.1.x","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
21 October 2019
UID
swg22002524