(1) Man in the Middle
A VPN and/or SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection to the application is recommended to encrypt traffic and stop man-in-the-middle attacks.
Use the following web agent settings as needed:
- UseSecureCookie
- UseSecureCPCookies
(2) SQL Injection
Following doc has detailed information on how to prevent various CSS Attacks including Sql Injection
https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/1525270.html
Following ACO settings are of particular interest :
-BadCSSChars
-BadQueryChars
-BadUrlChars
-BadFormChars
(3) Session Hijacking & (4) Session fixation
The best solution to prevent from this is using the new Session Assurance feature.
Demo can be found below :
https://www.youtube.com/watch?v=S0Atd_JFML0
(5) Cross-site request forgery (CSRF)
Cross Site Request Forgery (CSRF) attacks can be prevented by using the following webagent ACO parameters-
ValidTargetDomain - Web Agents can help protect from phishing attempts that could redirect users to a hostile web site.
This parameter specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the
domains set in this parameter, the redirect is denied.
During processing, the ValidTargetDomain parameter identifies the valid domains for the target. Before redirecting the user, the Web Agent compares
the values in the redirect URL against the domains in this parameter. Without this parameter, the Web Agent redirects the user to targets in any
domain.
TargetAsRelativeURI-
This will ensure that the webagent works with targets that are appended to its own fully qualified domain name, so that bogus targets in other cookie
domains cannot slip through as it would require the target URI be on the same Domain as the authentication service. Since everything would be
relative, an outside source could not force you out of your domain.
Regards,
Ujwol