2018 witnessed numerous breaches in large enterprises and government organizations, affecting billions of user records.
The trend continues in 2019 and in short, there is no surprise in the statement that data breaches have become the norm across the world. Enterprises that process and store large volumes of PII, payment data and healthcare data were the primary target for hackers and will continue to be so, for years to come.
Looking at last year, web application attacks were the most frequent attack vector pattern, observed in confirmed breaches, according to the 2018 Verizon Data Breach Investigations Report.
Defending and securing your most critical web applications, can be a consuming exercise. As you may already be aware, there is an online community nonprofit initiative called the Open Web Application Security Project (OWASP) that regularly compiles common web app security risks, being exploited in the wild. Setting policies in your organization, based on eliminating OWASP Top 10 risks is an excellent starting point – these potential vulnerabilities are widely accepted as the most likely to be exploited. Using security solutions to protect against these risks will greatly decrease the chance of a breach. It’s interesting to note that some of the OWASP risks are more prevalent in specific industries. So, you could consider focusing on the most pressing risks facing your sector, for further prioritization. Also, given the recent uptick in massive breaches the prevalence of credential stuffing attacks has largely increased, which means it's time to look at using MFA options like “push”, which is proven to be more secure than a SMS or email OTP, for most of your critical web applications.
Now turning our attention to how to avoid these risks - while there are ways to mitigate these in applications by design and secure development practices, Layer7 SiteMinder (formerly CA Single Sign-On) has policies and settings to complement these development practices. This is a defense in depth strategy to help reduce risk.
I will give a few examples that touch some common attack vectors as well as provide some advice on settings to help mitigate those attack vectors.
When it comes to session security, it’s safe to say that SiteMinder makes your job easier. Broadly speaking, there are settings in SiteMinder that prevent attackers from exploiting certain key vulnerabilities in various scenarios in both federations and non-federation transactions, and even if a breach happens, there are settings that help narrow the window of exposure.
Cross-Site Scripting (XSS) is one of the top OWASP risks to be wary of. In Veracode’s most recent State of Software Security Report, you can see that Cross-Site Scripting flaws were present in nearly 50 percent of the applications. SiteMinder has various controls like BadCSSChars, BadQueryChars, BadURLChars in the SiteMinder enforcement points such as Web Agent to scan the full URL and escape untrusted request data based on the specification in these controls, preventing XSS attack. Another mitigation approach is to make the Web Agent set the HTTP-Only attribute for any cookies it creates using the following parameter: UseHTTPOnlyCookies which instructs the Web Agent to set the HTTP-only attribute on the cookies it creates. When a Web Agent returns a cookie with this attribute to a user's browser, the contents of the cookie cannot be read by a script; even a script from the web site which originally set the cookie. This helps prevent any sensitive information in the cookie from being sent to an unauthorized third party via malicious script code. This setting also applies to contents of the cookies that Federation Web Services generates.
Malicious actors are looking for easy to use exploits to impersonate the victim. Therefore, session cookies are a highly valuable target for them to use and replay. If you are using a cookie provider in your SiteMinder deployment, it is recommended you turn on the configuration to persist the session cookies in a session store, which can prevent session tokens from being stolen. There are also other advantages of using a session store – more details can be found here.
Another common security risk exploited in web attacks are unvalidated redirects where a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site that the attacker controls, an attacker may successfully launch a phishing scam and steal user session or credentials. Prevention of unvalidated redirects can be achieved by sanitizing input by using a list of trusted URLs, also known as white list. SiteMinder provides the following agent configuration parameter - ValidTargetDomain to specify the domains to which a credential collector can redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.
In cases where the session cookie gets stolen and bad actors end up using them for a session replay, there are controls within SiteMinder that minimize the window of exposure and in some configurations completely mitigate the attack.
A SiteMinder session cookie, also known as “SMSESSION,” is usually a transient cookie with an “Expires” attribute. A persistent cookie that uses the “Max-Age” attribute is not recommended. The session “Expires” attribute of the session token (SMSESSION) also known as automatic session expiration, is configurable within the policy itself and can be configured to minimize the exposure window, based on your application’s requirements.
In a federated environment, there are equivalent controls provided within SiteMinder that limit the exposure window (per the federation standards). For example, in OpenID Connect, access token lifetimes are recommended to be kept to short lifetimes. If ongoing access to the UserInfo Endpoint or other Protected Resources is required, a “refresh token” can be used. In some cases, an attacker may try to use the access token generated for one resource to obtain access to another resource, for which it was not intended. To mitigate such an attack, it is highly recommended to keep the audience and the scope restricted for the access token. Similarly, in SAML or WS-Fed, as much as possible, you should configure either onetime assertions or short-lived assertions, to prevent the reuse of assertions.
Finally, coming to “Session Assurance” - one of the advanced capabilities within SiteMinder, which mitigates the risk of session hijacking. SiteMinder utilizes a patented technology called the “Enhanced session assurance with DeviceDNA™” that uses device fingerprinting to bind the session token to several device properties. This capability involves uniquely fingerprinting a device in a continuous fashion, and comparing each fingerprint sample with the fingerprint taken at the time of login to identify compromised sessions and invalidate them.
There are several additional session defense mechanisms not covered in this blog. For more content specific to that topic, talk to your Broadcom field representative. Additionally, looking to the future, we will continue to evolve SiteMinder, to expand on our authentication, authorization, federation support and session management capabilities.
If you want to get early access to some of these capabilities, we expose them in our validation kits posted on validate.ca.com. If you are not on validate.ca.com, please enroll yourself and get access to the forums and the kits.
I hope this post has been useful.