webMethods Knowlegebase : Security Vulnerabilities found in API Portal (1799949)

Troubleshooting

Problem

API Portal web vulnerabilities

Version: 10.3

Description:

Customer detected a couple of vulnerabilities with API Portal web apps (version 10.3, fix XX).

No Anti-CSRF tokens were found in a HTML submission form.

Failure to include Anti-CSRF tokens in the HTML form increases the risk of a cross-site request forgery attack

Some explanation found on following link:

https://blog.insiderattack.net/anti-csrf-tokens-to-prevent-cross-site-request-forgery-csrf-79b9d7a5c079

Recommended action: Use anti-CSRF packages such as the OWASP CSRFGuard and ensure that HTML forms include Anti-CSRF tokens.

Content Security Policy header is not properly configured (GATEWAY only).

The directives of the CSP header sets style-src and script-src to 'unsafe-inline'. This allows the use of inline script and style elements, along with JavaScript and inline event handlers. Failure to configure the Content-Security-Policy header to prevent inline styles and scripts allows an attacker to be able to use script html tags or event handlers to load malicious JavaScript code.

Page source for the gateway:

i. <meta http-equiv="Content-Security-Policy" content="img-src 'self' data:;default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';">

Recommended action: set the CSP header to: script-src 'self'; style-src 'self';"

X-XSS HTTP Header is missing (GATEWAY and PORTAL)

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. Disabling this protection mechanism puts the website at risk of a cross-site scripting (XSS) attack.

Recommended action: Set the X-XSS Protection HTTP response header: X-XSS-Protection: 1; mode=block, X-XSS-Protection: 1; report=https://example.com

X-Frame-Options Header Not Set (GATEWAY only)

Failure to configure the web application to ensure its integrity increases the risk that a malicious user could exploit the web application to gain unauthorized access to the application and the data it processes

Recommended action: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it is set on all web pages returned by your site

Please advise if the API Portal issues can be addressed.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQKXP","label":"IBM webMethods API Management"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods API Portal (YAP)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Windows Server 2016"}],"Version":"10.3"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Historical Number

Product Build YAP-6930

Was this topic helpful?

Document Information

Modified date:
20 March 2025

UID

ibm17195198

Tips