Solutions for Common Vulnerabilities in WSO2 Products

Vulnerable Javascript library

Most of these kinds of vulnerabilities identified as false positive cases, thus some of those vulnerabilities will be ignored. JQuery AJAX get operations is not used in products to call external untrusted sources. API invocations and actions performed through AJAX operations will be based on trusted endpoints and direct user inputs are not accepted as calling URLs. Hence, this ( has no bigger impact on the usage of the library within the products.

The Importance of Keeping All JavaScript Libraries Up to Date

HTML form without CSRF protection

Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim’s browser. Since there is no user session before the user login to be protected, it is not required to protect the user session.

RC4 cipher suites detected vulnerability

RC4 can be restricted through the proxy or the load balancer in the production environment.

Clickjacking: X-Frame-Options header missing

Clickjacking is if an attacker uses multiple transparent/opaque layers to cheat a user into clicking on a button/link on a framed web page while they were intending to click on the top level web page. The server didn’t return an X-Frame-Options header, then that server is in a risk in Clickjacking.

As a solution, 
Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
* DENY It completely denies to be loaded in frame/iframe.
* SAMEORIGIN It allows only if the site which wants to load has a same origin.
* ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.

X-Frame-Options header can be set up through the proxy or the load balancer 
[ 1 ]

Login page password-guessing attack

Since WSO2 Identity Server, Carbon Management Console is restricted to internal users relevant URL should not be accessible to untrusted networks / individuals. If guessing attacks need to be prevented further, “User Account Locking” [ 1 ] feature can be used to lock user account after several guessing attempts within a configured time interval.
[ 1 ]

Slow HTTP Denial of Service Attack

Recommend to load balancer level DoS prevention for webapps.

The POODLE attack (SSLv3 supported)

SSLv3 was blocked from the beginning and only TLSv1,TLSv1.1,TLSv1.2 and TLSv1.3 was supported, so SSL3 poodle attack is not possible. We have made couple of changes to have “Forward Secrecy” with following ciphers and confirmed it does not contain RC4

Go to CARBON_HOME/repository/conf/tomcat/catalina-server.xml
Make following changes inside the TLS connector element


SSL certificate public key less than 2048 bit

Generate the new certificate and can install into the server.