Wanted to know how CA Siteminder R12.52 address below security concerns?
(1) Man in the Middle
(2) SQL Injection
(3) Session Hijacking
(4) Session fixation
(5) Cross-site request forgery (CSRF)
A VPN and/or SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection to the application is recommended to encrypt traffic and stop man-in-the-middle attacks.
Use the following web agent settings as needed:
Following doc has detailed information on how to prevent various CSS Attacks including Sql Injection
Following ACO settings are of particular interest :
(3) Session Hijacking & (4) Session fixation
The best solution to prevent from this is using the new Session Assurance feature.
Demo can be found below :
Cross Site Request Forgery (CSRF) attacks can be prevented by using the following webagent ACO parameters-
ValidTargetDomain - Web Agents can help protect from phishing attempts that could redirect users to a hostile web site.
This parameter specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the
domains set in this parameter, the redirect is denied.
During processing, the ValidTargetDomain parameter identifies the valid domains for the target. Before redirecting the user, the Web Agent compares
the values in the redirect URL against the domains in this parameter. Without this parameter, the Web Agent redirects the user to targets in any
This will ensure that the webagent works with targets that are appended to its own fully qualified domain name, so that bogus targets in other cookie
domains cannot slip through as it would require the target URI be on the same Domain as the authentication service. Since everything would be
relative, an outside source could not force you out of your domain.
Thanks Ujwol for detailed explanation. This is exactly what i wanted.
Hi Jagadeesh, I am glad that you found it useful. Could you please help mark the question as answered now ?
I would like to do it but am not able to find that option. Please let me know where i can mark it and will definitely do it.