We are working on one web application which is deployed on backend server. In front end we have apache 2.2 server running on RHEL and we are utilizing it as proxy server to forward the request to application server after SiteMinder authentication. We have our WebAgent running on this RHEL server and is protecting the application URL. The application and SIteMinder authentication is working fine but our vulnerability assessment team have raised one issue here. It goes like this :-
When the user hits the proxy server URL with siteminder protected directory in browser like (https://servername.fqdn/ProtectedDirectoy/) It takes the user on login page with SiteMinder attributes in URL (https://servername.fqdn/ProtectedDirectoy/Login.aspx?TYPE=*******&REALMOID=********************************&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-6AgvjQEraKbMLtXJBdiwKZQBE0EhBYG8Kki5s6jXbg48r0fAN%2bOtoBsxGXABx3Bx&TARGET=-SM-https%3a%2f%2fservername.fqdn%2fProtectedDirectoy%2f) which looks good.
The issue they have raised is that the TARGET mentioned above can be edited by simply replacing it with user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Is there any way we can make this TARGET to avoid user controlled input. Please help. HubertDennis Ujwol
Thanks in Advance.
The ValidTargetDomain parameter identifies the valid domains for the target during processing. Before the user is redirected, the agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the agent redirects the user to targets in any domain.
The ValidTargetDomain parameter can include multiple values, one for each valid domain.
For local agent configurations, specify an entry, one entry per line, for each domain, for example:
Refer below link:
You could also use SecureURLs. This would encrypt all "Clear Text encoded Query parameters" in the redirect to login page into a "Single Query Parameter" which appears like a gibberish value and can be decrypted only by another WebAgent participating in SSO. There are conditions like all WebAgents needs to be configured to use SecureURLs.
Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Encrypt Query String Parameters in Redirection URLs - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Beyond this, you could use the below parameters to restrict hacks before/after the WebAgent encrypts/decrypts the values.
Hi Jeff,Yes, those URLs have been replaced. I'm sorry the old links do not redirect to the new location:
And here is the current home page for Siteminder documentation (this lands you on the 12.8 version, but you can access all versions of the docs from the Version drop-down menu):