Data Validation and Protection
IBM® Cognos® Application Firewall (CAF) performs positive validation of parameters instead of only searching for known script injection tags or common SQL injection signatures. Each parameter is validated against a rule that expects a certain data type in a certain format. If the data does not match the CAF rule, it is rejected.
To provide even stronger validation, CAF matches regular expression patterns to protect data inputs that use complicated formats.
A common type of attack is to trick a user into going to a harmful site by modifying the form parameters. The back button and error URL features of a product provide a prime target for this type of attack.
CAF limits the list of hosts and domains that a back URL can access. CAF can be configured with a list of host names, including port numbers and domains. If a back URL contains a host or a domain that does not appear in the list, the request is rejected. By default, the host name of the dispatcher is added to the list. You can configure the list using IBM Cognos Configuration.
For more information, see the Installation and Configuration Guide.