'Unsafe characters detected in URL parameters. Possible XSS attack.' accessing Dashboards in version 7.0.2+ of RSA Identity Governance & Lifecycle
Originally Published: 2018-03-26
Article Number
Applies To
RSA Version/Condition: 7.0.2+
Issue
The request could not be handled
Unable to create page for page ID
"<name of page being accessed>"
"<name of page being accessed>"
Unsafe characters detected in URL parameters. Possible
XSS attack.
Cause
For example, the following bookmarked URL in 6.9.1 brings the user successfully to their dashboard page:
IPaddress:Port/aveksa/main?ReqType=GetPage&PageID=HomeTab_DashboardTab_Terminated+Password+Vault+Reviewers_DashboardDisplayPageData
Starting in 7.0.2 and higher, the same URL would fail and flag a potential XSS attack. To resolve this problem, URLs in version 7.0.2 or higher are stripped of any '+' signs as in the example below:
IPaddress:Port/aveksa/main?ReqType=GetPage&PageID=HomeTab_DashboardTab_TerminatedPasswordVaultReviewers_DashboardDisplayPageData
Because an RSA Identity Governance & Lifecycle patch does not modify user bookmarks, the older version of the URL is accessed when using the bookmark and the potential XSS risk is flagged.
Resolution
- Delete the problematic bookmark (browser dependent.)
- Login to the RSA Identity Governance & Lifecycle user interface.
- Navigate to the Dashboard that was no longer reachable via the bookmark. Note the Dashboard is now accessible and the URL has no '+' signs. This is the URL format required for 7.0.2 and above.
- Save the bookmark (browser dependent.)
- Access the bookmark and note that the Dashboard is now accessible.
