Cross-site Layer2 VPN
In the diagram i have 2 sites. In site 1 i have 2 PE devices with Vlan 3,33 in VTP database and couple of servers in both vlans. Need to extend both vlans broadcast domain to site 2 access layer switches. MPLS/LDP enable on PE's. I am assuming that without another access layer attached to PE3/PE4 with a tunk interface i cannot enable psedowire on PE3/PE3! since i need an (L3 - without an ip address) interface to enable xconnect on. Will vlan-base psedowire work? but will need a SIP card on the PE's since they are 6509!!
Any comment? Let me know you need more clarification..
Francisco.
Hi Francisco,
You're right. You need a SIP card for your uplinks if you want to apply the xconnect to an SVI interface.
You could try creating a trunk for VLAN 3 and 33 between PE3 and PE4. Assuming all the servers are connected to PE3 (there are 2x PE3 on your drawing ;-) ), you could apply the xconnect on PE4 trunk interface only to PE1 as primary and PE2 as secondary:
xconnect 192.168.124.1 10 encapsulation mpls
backup peer 192.168.124.2 20
HTH
Laurent.
Similar Messages
-
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
Publish Page Content-Cross Site Publishing in SharePoint Online
Is it possible to get Authoring Site's Specific Page's Content/html content (Live in Page Library of Authoring Site and saved as a Catalog) by a Content Search web part added to the Publishing site's page?
(Please note that these sites created in SharePoint 2013 Online, Authoring Site activated Cross site Publishing feature and created using team site template, Publishing site created using Publishing Portal template)Hi Gihan,
Glad to hear your issue solved and thanks for your sharing! It is helpful for others who will meet the same issue.
Best Regards,
Eric
Eric Tao
TechNet Community Support -
DOM Based Cross-Site Scripting issue in RoboHelp 10
We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
ThanksHi,
I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
I’ll ask around about this security issue.
Greet,
Willam -
Cross-site scripting vulnerability RoboHelp 10 version
Has the cross-site scripting vulnerability been addressed in the RoboHelp 10 version
To the best of my knowledge it was addressed in Rh9. Rh10 has an HTML5 output option that does not use frames.
However, if security is a concern, then only a security expert can give you the assurance you require.
Personally I have yet to hear of webhelp being used maliciously but that does not mean it hasn't happened.
See www.grainge.org for RoboHelp and Authoring tips
@petergrainge -
JsessionID Cross Site Sccripting Bug
Hacker Safe Found the following cross site scripting issue on
our server.
index.cfm?CFID=6766970&CFTOKEN=32892658&jsessionid=4c3035dcfc2d1
f43303b%3F%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3
E%3C%22%3
D1
The Global protect is on, and the patch is applied, but still
the javascript
executes.
We have corrected it using <cfif
#UrlDecode("#cgi.QUERY_STRING#")# contains "<"> but I would
like to know if there is a patch / hotfix for thiscafebritt wrote:
> Hacker Safe Found the following cross site scripting
issue on our server.
>
>
index.cfm?CFID=6766970&CFTOKEN=32892658&jsessionid=4c3035dcfc2d1
>
f43303b%3F%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3
> E%3C%22%3
> D1
>
> The Global protect is on, and the patch is applied, but
still the javascript
> executes.
>
> We have corrected it using <cfif
#UrlDecode("#cgi.QUERY_STRING#")# contains
> "<"> but I would like to know if there is a patch
/ hotfix for this
You can patch this yourself :) The regular expressions that
are used by
the Global Script Protect function are located in the
neo-security.xml
file. Just update them.
Since this is a user-to-user forum and not a user-to-adobe
forum I would
recommend you file a bugreport at
http://adobe.com/go/wish/
Jochem
Jochem van Dieten
Adobe Community Expert for ColdFusion -
Due to the presence of characters known to be used in Cross Site Scripting
I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
403: Access Forbidden
Your client is not allowed to access the requested objectFYI. We are using IIS Webserver and Weblogic Appserver.
When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS. -
JSF 1.2 and CSRF (Cross Site Request Forgery) protection
Hi All
My webapp uses (among other technologies like JSP, Ajax, Dojo etc) JSF v1.2 on Webshere 7.0.
I've been fixing security issues in the code recently - in particular Cross Site Request Forgery (CSRF) vulnerabilities. The suggested approach to combat CSRF is to embed a hidden unique token in your form (and also store this same token in the session). In the controller logic (i.e that handles the form's POST) we then check that the session and request token match. I've used this in my JSP's to combat CSRF successfullu. Basically I have a filter which executes before the form loads. This filter creates the unique token and stores in request and session and so on ..
Now for JSF 1.2 ...
I'm wondering how I do this in JSF v1.2 ? Would any one have an code samples or resource they could point me towards ? Is there a filter mechanism we can employ or some callback on the post ?
One idea I had is that to populate to form with the hidden token I would do (in the form):
<h:inputHidden id="jsfSecurityToken" value="#{myBean.securityToken}"/>
In "myBean.java" I have a getSecurityToken method which
a) creates the token
b) stores it into the request
c) stores it into the session
BUT I don't know how/where on the post I can CHECK if these values match
Page 40/41 of http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications-against-owasp-top-ten-color.pdf mentions "isPostBack" but I'm not sure how to use this.
Any help would be great
Thanks - RonanA phase listener comes to mind. Check out this useful article:
http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html -
Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS
Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
We are about to put our first APEX box into production, but we need to fix this vulnerability first.
I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
Any thoughts / help / ideas would be greatly appreciated.
Thanks.Hi,
Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
Can you please suggest any solution for the same.
Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
Sridharrs -
I have created a Cross Site Publishing Environment in SharePoint Online. After connected
to my catalog. 2 pages automatically created. But in "Category" page, if i click on an item it will bring me to the original path/item located in Authoring site. How to configure Content Search Web Part on Category page to show the Published Catalog-item
page on Publishing site?
Can we do this by changing the property mappings?Hi,
According to my understanding, you want users to be redirected to pages in the current site instead of the source page of the search results in a Content Search Web
Part.
By default, the hyperlinks of the search results in a Content Search Web Part will point to the source page where the data comes from, when the hyperlink of each result
is clicked, user will be redirected to the corresponding source page.
If the data comes from other sites, what page do you want to display when user clicks a search result in the Content Search Web Part?
Property Mappings can help to control the content of each part of a display template, however, there seems no such property in the search result can help to redirect
to the pages of the current site, thus, it might not be able to meet your requirement.
More information about customizing the Content Search Web Part:
https://www.martinhatch.com/2013/02/customising-cbswp-part1.html
Best regards,
Patrick
Patrick Liang
TechNet Community Support -
What are default Zend Session handling best practices to prevent Cross Site Request Forgery?
I have enjoyed the David Powers book Adobe Dreamweaver CS5 with PHP: Training from the Source - and have put many of the examples into practice. I have a security related concern that may be tied to the Zend::Auth example in the book. While this is installed an working on my site:
<?php
$failed = FALSE;
if ($_POST) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$failed = TRUE;
} else {
require_once('library.php');
// check the user's credentials
try {
$auth = Zend_Auth::getInstance();
$adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'user', 'login', 'user_pass', 'sha1(?)');
$adapter->setIdentity($_POST['username']);
$adapter->setCredential($_POST['password']);
$result = $auth->authenticate($adapter);
if ($result->isValid()) {
$storage = $auth->getStorage();
$storage->write($adapter->getResultRowObject(array(
'ID', 'login', 'user_first', 'user_last', 'user_role')));
header('Location: /member/index.php');
exit;
} else {
$failed = TRUE;
} catch (Exception $e) {
echo $e->getMessage();
if (isset($_GET['logout'])) {
require_once('library.php');
try {
$auth = Zend_Auth::getInstance();
$auth->clearIdentity();
} catch (Exception $e) {
echo $e->getMessage();
Apparently, there is very limited protection against Cross Site Request Forgery, where the resulting SessionID could be easily hijacked? I am using the Zend Community edition (I have 1.11.11). I have an observation from a client that this authentication is not up to snuff.
To boil it down:
1. Is there a Zend configuration file that might have some settings to upgrade the Session and or authentication security basics? I'm wondering specifically about the settings in /library/Zend/session.php? Ie secure the session against a changing user IP, and invoking some other session handling stuff (time-out etc).
2. If I understand it correctly, "salting" won't help with this, unless it's added/checked via a hidden POST at login time?
Ideally, the man himself, David Powers would jump in here - but I'll take any help I can get!
Thanks!Might ask them over here.
http://forums.asp.net/1146.aspx/1?MVC
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Cross Site Publishing in SharePoint Online
I was asked to test Cross Site Publishing features in SharePoint 2013 Online. I saved the Authoring site collection's (Used Team Site's Template since Product Catalog Template not avialable in SP Online) Pages library as a Catalog. When I connected that
catalog in my Publishing site collection, 2 pages created automatically. Category Page is showing the content, but CatelogItem page is empty. How can I configure Content Search Web Part to show the Page Content of the Authoring Sites's page?
Can we show Authoring sites Pages libraries page content on the publishing site?
Is this possible in SharePoint Online Cross Site Publishing?Hi,
Thanks for sharing!
Best Regards
Dennis Guo
TechNet Community Support -
Cross site scripting errors in RoboHelp 8.0
We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
Any additional information on the final resolve for this issue would be helpful.
Thanks,
Beware - serious breach - cross site scripting errors in RoboHelp 8.0The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
I have not seen anything on these forums indicating that any attack has been triggered.
See www.grainge.org for RoboHelp and Authoring tips
@petergrainge
Maybe you are looking for
-
Connection speed high but pages have been loading slowly for last 4 days.
My Broadband has performed well for the last two years but 4 days ago web pages have suddenly begun to take ages to load (10 to 15 seconds or more). Checking my connection speed gives, typically, 7816 kbits downloaded in 1.542 sec. The problem persis
-
Can I launch a new JSP on a popup window, when cliking a HTMLB button ?
Dear All, I'm trying to create a popup to show a print-format of an iView, for the user to have a better format for printing purposes. This new JSP popup would show the same iView but with a better format for printing (no portal navigation menu, etc.
-
SCCM 2012 R2 bitlocker reporting via "Computers running a specific service"
I have searched the web for how to check how many clients have bitlocker enabled, via SCCM 2012 R2. All suggestions I find are SQL commands. I have not found anyone who suggest using the report Operating System -> Services - Computers running a speci
-
Siebel Instance Strategy – Single Instance or Multiple Instances – Advantag
Folks, We are looking for any white papers on Siebel Instance Strategies. We currently have 5 Siebel individual instances deployed over last 10 years for different business. Is it a good idea to merge all these instances into one? May be merge to say
-
Populating multiple child rows in component interface
hie all, i am new to peoplesoft. I am practising all the tools. I am struck at calling CI in app engine. i used file layout to insert data into staging tables. Then i am calling ci to perform the insertion. If anyone has worked previously, help me wi