Symantec Access Management

  • Private Community
 View Only

  • 1.  How to pass XSS validation of Site Minder Agent?

    Posted Jul 16, 2014 02:44 AM

    My customer use CA Site Minder for SSO. Site Minder Agent is installed in IIS, some request is stopped by Site Minder Agent and show a message "Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags". I added "CSSChecking=no" in LocalConfig.conf then the request can pass through. But i think it's not recommended. Plz help me explain the true root cause of it and how to solve it? Thanks.



  • 2.  Re: How to pass XSS validation of Site Minder Agent?

    Posted Jul 16, 2014 04:14 AM

    Hi,

     

    What you see is expected behavior when you have possible cross site scripting (xss) characters (ie: < > '). Allow this character in the url is dangerous as it allow intruder inject scripting to retrieve sensitive information. As such, set Csschecking=no is not recommended.

     

    By enable Csschecking, it automatically involved following

    • left and right angle brackets (< and >) 
    • single quote (’)

     

    Csschecking work with BadCSSChars if you have additional cross site scripting characters need to block
    As such, you need to first identify in your request which character that trigger the css checking.

     

    Hope this helps.

    Thanks.

    Kar Meng



  • 3.  Re: How to pass XSS validation of Site Minder Agent?

    Posted Jul 16, 2014 07:32 AM

    Thank for your quick replying,

    This is the log from Site Minder Agent.

    [07/16/2014][19:21:57][10744][5308][CSmHttpPlugin.cpp:4356][CSmHttpPlugin::BadCSSCharsFound][][][][][][][URL contains BadCssChars: '/TestApp/reports/frmTest.jsp?hTablename=Customer%20Transfer%20Reports%20(RENTAS)%20-%20Browse&frDt=16/07/2014&toDt=16/07/2014'.]

    The URL doesn't contain angle brackets and single quote, why it still could not pass XSS validation?



  • 4.  Re: How to pass XSS validation of Site Minder Agent?

    Posted Jul 16, 2014 09:12 PM

    Hi,

     

    I suspect you have defined some additional character in BadCssChars. I have tested in my testing environment by just enable csschecking=yes and submit following request:

     

    "http://<FQDN/transpolar/frontpage.htm?hTablename=Customer Transfer Reports (RENTAS) - Browse&frDt=16/07/2014&toDt=16/07/2014"

     

    It won't block me from access. As such, you must have the additional value in ACO parameter BadCssChars.



  • 5.  Re: How to pass XSS validation of Site Minder Agent?
    Best Answer

    Posted Jul 16, 2014 09:16 PM

    You can find the ACO parameters in webagent.log. When the web agent startup, it will load the ACO parameters

    ie:

    [3100/3136][Thu Jul 17 2014 10:57:03] ***** Begin Configuration *******************************************

    [3100/3136][Thu Jul 17 2014 10:57:03] agentconfigobject='iis aco'.

    [3100/3136][Thu Jul 17 2014 10:57:03] agentidfile='C:\Program Files\CA\webagent\win64\bin\IIS\AgentId.dat'.

    [3100/3136][Thu Jul 17 2014 10:57:03] allowcacheheaders='no'.

    [3100/3136][Thu Jul 17 2014 10:57:03] allowlocalconfig='no'.

    [3100/3136][Thu Jul 17 2014 10:57:03] badcsschars='('.

    [3100/3136][Thu Jul 17 2014 10:57:03] badurlchars='//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.

    [3100/3136][Thu Jul 17 2014 10:57:03] cacheanonymous='no'.

    [3100/3136][Thu Jul 17 2014 10:57:03] cccext='.ccc'.

    [3100/3136][Thu Jul 17 2014 10:57:03] constructfullpwsvcurl='no'.

    [3100/3136][Thu Jul 17 2014 10:57:03] cookiedomain=''.

    [3100/3136][Thu Jul 17 2014 10:57:03] cookiedomainscope='0'.

    [3100/3136][Thu Jul 17 2014 10:57:03] csschecking='yes'

    ....



  • 6.  Re: How to pass XSS validation of Site Minder Agent?

    Posted Jul 16, 2014 10:52 PM

    It worked, thanks for your help