Symantec Access Management

<!-- SiteMinder Encoding=ISO-8859-1; -->
@username=%USER%
@smretries=0
@nexttarget=%urlencode(TARGET)%

<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="3; URL=/portalzone/login/loadLogin.do?smauthreason=$$smauthreason$$&target=$$nexttarget$$">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">


In the above FCC,we can see the @nexttarget gets the TARGET from URL=/portalzone/login/loadLogin.do,depending on the condition mentioned whether the browser supports java script or not.

the requirement is,i have to remove the urlencode function from the FCC,and pass the target value without encoding.
Please suggest me,will there be any impact if i remove the function.

Also am not sure why this urlencode function was there,since this FCC was customized long years back.

Thanks in advance.

Deafult FCC file doesnt have @nexttarget attribute so you can just remove this and change $$nexttarget$$ to $$target$$.

Thanks for the response.

Yes,we dont have @nexttarget directive,but i believe its a name holder which is capturing the target value depending on the condition mentioned in the openlogin.do page which is mentioned in the META TAG.

But i believe urlencode function is part of HTML Authentication form,So,I am wondering what difference will it make if i dont encode the URL,before appending it in the META TAG.Since,am not sure in first place why this logic was introduced earlier.

Thanks.

Hi,

urlencode is required to encode target URL if it contains special characters like (. & = + ? ; / : @ = , $ %). Without encoding the original target url will not be preserved during redirection which may lead to unexpected result.
So, we suggest you urlencode the url where ever you expect a redirection to occur.

On another note, the urlencode() is a Siteminder version of URL encoding and is not the same as normal HTML url encoding.

Hope this helps.

antonys wrote:

<!-- SiteMinder Encoding=ISO-8859-1; -->
@username=%USER%
@smretries=0
@nexttarget=%urlencode(TARGET)%

<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="3; URL=/portalzone/login/loadLogin.do?smauthreason=$$smauthreason$$&target=$$nexttarget$$">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">


In the above FCC,we can see the @nexttarget gets the TARGET from URL=/portalzone/login/loadLogin.do,depending on the condition mentioned whether the browser supports java script or not.

the requirement is,i have to remove the urlencode function from the FCC,and pass the target value without encoding.
Please suggest me,will there be any impact if i remove the function.

Also am not sure why this urlencode function was there,since this FCC was customized long years back.

Thanks in advance.

SiteMinder FCC files supports three types of encoding and decoding functions.

smencode()/smdecode()
urlencode()/urldecode()
b64encode()/b64decode()

Basically, anywhere you have $$variable$$, you modify the string to be $$encode function(variable)$$. So $$target$$ becomes $$urlencode(target)$$, for example. Then, to make sure that the variable is properly decoded after a post (important for hidden variables!!), place @variable=%decode function(variable)% at the top of the file in the list of FCC directives. Following my example, you’d add @target=%urldecode(target)%. See the attached login.fcc file for a full working example of how this works. I encourage your team to make the changes in their test environment and retry their XSS attacks.

Example: Login.fcc

Need to decode in the directive declaration

<!-- SiteMinder Encoding=ISO-8859-1; -->
@username=%USER%
@smretries=0
@target=%urldecode(target)%
@smquerydata=%urldecode(smquerydata)%
@smagentname=%urldecode(smagentname)%
@smauthreason=%urldecode(smauthreason)%
@postpreservationdata=%urldecode(postpreservationdata)%



<tr>

<td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

<input type=hidden name=target value="$$urlencode(target)$$">

<input type=hidden name=smquerydata value="$$urlencode(smquerydata)$$">

<input type=hidden name=smauthreason value="$$urlencode(smauthreason)$$">

<input type=hidden name=smagentname value="$$urlencode(smagentname)$$">

<input type=hidden name=postpreservationdata value="$$urlencode(postpreservationdata)$$">

<input type="button" value="Login" onClick="submitForm();">

</td>

Hi Stephen,

In my case,the target value contains a Special character "?" ,so if i post my target with urldecode function,will my target value get preserved for redirection.

Thanks in advance.

Regards,
Antony Sunny,
http://itinfradiscussions.blogspot.com

antonys wrote:

Hi Stephen,

In my case,the target value contains a Special character "?" ,so if i post my target with urldecode function,will my target value get preserved for redirection.

Thanks in advance.

Regards,
Antony Sunny,
http://itinfradiscussions.blogspot.com

antonys wrote:

Hi Stephen,

In my case,the target value contains a Special character "?" ,so if i post my target with urldecode function,will my target value get preserved for redirection.

Thanks in advance.

Regards,
Antony Sunny,
http://itinfradiscussions.blogspot.com

If the login.fcc contains the following values it will encode and decode all of the TARGET
@target=%urldecode(target)%
<input type=hidden name=target value="$$urlencode(target)$$">

antonys wrote:

the requirement is,i have to remove the urlencode function from the FCC,and pass the target value without encoding.
Please suggest me,will there be any impact if i remove the function.

Also am not sure why this urlencode function was there,since this FCC was customized long years back.

You do not need to encode or decode they are used to protecting FCC against attacks
There are customers that prefer to let the application handle cross-site scripting attacks. The FCC is a siteminder applications – I’ve described how to protect the FCC using existing siteminder mechanisms that are part of the language that make the FCCC files programmable.

Thanks Stephen,for your response,
I am bit concerned to make changes to the below FCC,since its been used for long time.But I want to understand the logic behind this customized FCC.
I have pasted a snippet of a Working FCC file,
<!-- SiteMinder Encoding=ISO-8859-1; -->
@username=%USER%
@smretries=0
@nexttarget=%urlencode(TARGET)%

<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="3; URL=/portalzone/login/loadLogin.do?smauthreason=$$smauthreason$$&target=$$nexttarget$$">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">

During the POST of fcc,i can see the target value is passed as below
/portalzone/login/jsLogin.do?target=portalzone/portalzone/homeLogin.do
So,my understanding is,since the above Target value contains a Special character "?",the urlencode function had been used
As per the below META TAG,the value of target is getting populated from URL(/portalzone/login/loadLogin.do) mentioned in the META TAG
<META HTTP-EQUIV="Refresh" CONTENT="3; URL=/portalzone/login/loadLogin.do?smauthreason=$$smauthreason$$&target=$$nexttarget$$">

What am not understanding is about the @nexttarget directive,since there is no Siteminder defined directive as such,or the siteminder can post the target as in the FCC since target=$$nexttarget$$"
Please suggest
Thanks in advance

antonys wrote:

What am not understanding is about the @nexttarget directive,since there is no Siteminder defined directive as such,or the siteminder can post the target as in the FCC since target=$$nexttarget$$"
Please suggest
Thanks in advance

Have not seen a none agent directive - unsure what/how it would be used/handled

About the Directives:
The directives are never passed to the client.
They must be at the beginning of the file and are of the form: @name=value

The name is the name of a variable.
The value is the variable’s value.
The value may contain strings of the form: %name1%.


SiteMinder’s FCC can interpret a number of special name/value pairs (@directives) that invoke non-standard processing. The following are the special @directives and their meanings:

username - Name to use to as the login user name.
password - Password to use to perform the login.
target - Resource to access after login.
smheaders -Colon separated list of SiteMinder response names to include in the namespace. The colon separated list must contain an entry for each header that you want to include in a SiteMinder transaction. For example, if you want to pass the value of header1 and header2 as part of a SiteMinder transaction, the following would be included in your FCC: @smheaders=header1:header2
smerrorpage - If there is an error on a Post to the custom form, the user’s browser will be redirected to this page. If this special value is not specified in a .fcc file, SiteMinder uses the .unauth file associated with the .fcc file as the error page.
smretries - Specifies the maximum number of login attempts allowed. If you set this directive to 0, the number of retries is unlimited. If you set the number to 1 or greater, that is the number of retries allowed.
smusrmsg - Text that describes why the user was challenged / failed to login.
smauthreason - Reason code associated with a login failure.
smsavecreds - Set to Yes to save user credentials in a persistent cookie on the user’s browser.
smsave - Colon separated list of names to be saved as persistent cookies.
save - Another name for smsave.
smtransient - Colon separated list of names to be saved as transient cookies.
smagentname - Specifies the agent name that will be supplied to the Policy Server when a user enters credentials and submits the form for authentication. If the Agent parameter, FCCCompatMode=NO, you must specify a value using this directive.
smlogout - Logs a user out of SiteMinder, similar to logoffuri. By placing @smlogout=true in your .fcc template, the FCC will log a user out of SiteMinder and redirect the user to the target. As such, the @smlogout directive is typically used in conjunction with the @target directive (@target=<yoururlhere>).
urlencode(name) - Replaced by the URL encoded value of the named variable.
urldecode(name) - Replaced by the URL decoded value the named variable.

Yes Stephen.As per doc,i dont see how the directive which i had mentioned is working.

Need to analyse more on this.

Thanks

antonys wrote:

Hi Stephen,

In my case,the target value contains a Special character "?" ,so if i post my target with urldecode function,will my target value get preserved for redirection.

Thanks in advance.

Regards,
Antony Sunny,
http://itinfradiscussions.blogspot.com

If the login.fcc contains the following values it will encode and decode all of the TARGET
@target=%urldecode(target)%
<input type=hidden name=target value="$$urlencode(target)$$">

antonys wrote:

the requirement is,i have to remove the urlencode function from the FCC,and pass the target value without encoding.
Please suggest me,will there be any impact if i remove the function.

Also am not sure why this urlencode function was there,since this FCC was customized long years back.

You do not need to encode or decode they are used to protecting FCC against attacks
There are customers that prefer to let the application handle cross-site scripting attacks. The FCC is a siteminder applications – I’ve described how to protect the FCC using existing siteminder mechanisms that are part of the language that make the FCCC files programmable.