Cross-Site Scripting Detection

As part of a 'default secure installation' Oracle Health Insurance protects against Cross-Site Scripting (or XSS) attempts by checking data that is entered through HTTP API RESTful services. The principle means for preventing XSS as implemented in Oracle Health Insurance is to validate input. That is done using the following steps:

• Attackers may obfuscate XSS scripts by encoding values (multiple times) to bypass security controls. Therefore the process will canonicalize or decode the data first. If the process detects multiple encoding of data, it rejects the request and returns a 'Bad Request' response to the client.

• If the data could be decoded successfully, the process checks the content for the existence of malicious scripts. Tags or markup in data, like HTML or XML, are not allowed. If the process detects tags, it rejects the request and returns a 'Bad Request' response to the client.

Note that Oracle Health Insurance does not sanitize input data, it does not cleanse input data from script tags.

The Installation Guide lists configuration options with respect to XSS detection. It is enabled by default. If other components in the landscape perform XSS vulnerability detection you may disable it.