Security Filters

One of the growing concerns in the web world is security! New security threats/vulnerabilities keep cropping up each day, putting web applications and the confidential/sensitive data they handle at risk.

To enable application developers/architects to keep track of such threats/vulnerabilities, a non-profit organization called OWASP - Open Web Application Security Project - periodically publishes a Top-10 report. This is an 'awareness' report, which outlines the most critical security risks for web applications. The risks highlighted in the latest Top-10 report include Injection, Cross-site scripting (XSS), Broken Authentication, Security misconfiguration, Insufficient Logging etc.

Since eG manager is a web application, the security threats that are featured in OWASP's report apply to the eG manager as well , and can greatly impact its stability and reliability. This is why, the eG manager is pre-hardened against many of the security vulnerabilities listed in OWASP's report!

The security filters of the eG manager are turned on by default, so that, as soon as the eG manager is installed and configured, it is automatically protected against the following vulnerabilities:

Vulnerability

Description

SQL Injection

An injection attack that executes malicious SQL statements to control a database server behind a web application

Cross-Site Scripting (XSS)

A client-side code injection attack that executes malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.

Cross-Site Request Forgery (CSRF)

An attack against authenticated web applications using cookies where the attacker is able to trick the victim into making a request that the victim did not intend to make.

Clickjacking

An attack that tricks a user into clicking a webpage element which is invisible or disguised as another element.

TCP Time Stamp Vulnerabilities

The TCP timestamp response can be used to approximate the remote host's uptime, potentially causing attacks.

Hacking of Browser Cookies

Many web applications have cookie related vulnerabilities that lead to user impersonation, remote cookie tampering, XSS and more

This default behavior of the eG manager is governed by the Enable Security Filters flag, which is set to Yes by default. If required, you can turn off these filters. For that, follow the steps below:

  1. Follow the Admin -> Settings -> Manager menu sequence in the eG admin interface
  2. From the tree-structure in the left panel of the page that appears, select the Security Filters sub-node under the Account Security node.
  3. When the Enable Security Filters flag appears in the right panel, set it to No (see Figure 37). This will disable the security filters.

    Figure 37 : Disabling security filters

  4. Finally, click the Update button in Figure 37.