Symantec Access Management

 View Only
  • 1.  Avoid user-controlled input in Target

    Posted May 13, 2016 02:18 AM

    Hi All,

    We are working on one web application which is deployed on backend server. In front end we have apache 2.2 server running on RHEL and we are utilizing it as proxy server to forward the request to application server after SiteMinder authentication. We have our WebAgent running on this RHEL server and is protecting the application URL. The application and SIteMinder authentication is working fine but our vulnerability assessment team have raised one issue here.  It goes like this :-

     

    When the user hits the proxy server URL with siteminder protected directory in browser like (https://servername.fqdn/ProtectedDirectoy/) It takes the user on login page with SiteMinder attributes in URL (https://servername.fqdn/ProtectedDirectoy/Login.aspx?TYPE=*******&REALMOID=********************************&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-6AgvjQEraKbMLtXJBdiwKZQBE0EhBYG8Kki5s6jXbg48r0fAN%2bOtoBsxGXABx3Bx&TARGET=-SM-https%3a%2f%2fservername.fqdn%2fProtectedDirectoy%2f) which looks good.

     

    The issue they have raised is that the TARGET mentioned above can be edited by simply replacing it with user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

     

    Is there any way we can make this TARGET to avoid user controlled input. Please help. HubertDennis Ujwol

     

    Thanks in Advance.

     

    Regards,

    Ashish Vashistha



  • 2.  Re: Avoid user-controlled input in Target

    Posted May 13, 2016 05:23 AM

    Hi Ashish,

     

    The ValidTargetDomain parameter identifies the valid domains for the target during processing. Before the user is redirected, the agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the agent redirects the user to targets in any domain.

    The ValidTargetDomain parameter can include multiple values, one for each valid domain.

    For local agent configurations, specify an entry, one entry per line, for each domain, for example:

    validtargetdomain=".xyzcompany.com"

    validtargetdomain=".abccompany.com"

     

    Refer below link:

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/1525270.html#o256533

     

    Thanks,

    Sharan



  • 3.  Re: Avoid user-controlled input in Target

    Posted May 16, 2016 12:45 AM

    Thanks Sharan!



  • 4.  Re: Avoid user-controlled input in Target
    Best Answer

    Posted May 13, 2016 10:49 AM

    Ashish

     

    You could also use SecureURLs. This would encrypt all "Clear Text encoded Query parameters" in the redirect to login page into a "Single Query Parameter" which appears like a gibberish value and can be decrypted only by another WebAgent participating in SSO. There are conditions like all WebAgents needs to be configured to use SecureURLs.

     

    Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

    Encrypt Query String Parameters in Redirection URLs - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

    Beyond this, you could use the below parameters to restrict hacks before/after the WebAgent encrypts/decrypts the values.

     

    ValidTargetDomain

    UseSecureCookies

    TrackSessionDomain

    TrackCPSessionDomain

    CSSChecking

    BadCSSChars

    BadFormChars

    BadQueryChars

    BadUrlChars

     

     

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/list-of-agent-configuration-parameters

     

     

     

    Regards

     

    Hubert



  • 5.  Re: Avoid user-controlled input in Target

    Posted May 16, 2016 12:46 AM

    Thanks Hubert!



  • 6.  RE: Re: Avoid user-controlled input in Target

    Posted Jul 21, 2020 10:20 AM
    The urls mentioned within point to the old CA system...  did these migrate over to BC?


  • 7.  RE: Re: Avoid user-controlled input in Target

    Broadcom Employee
    Posted Jul 21, 2020 10:29 AM

    Hi Jeff,

    Yes, those URLs have been replaced.  I'm sorry the old links do not redirect to the new location:

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/forms-authentication/how-to-configure-an-agent-to-support-html-forms-authentication/configure-advanced-fcc-settings/encrypt-query-string-parameters-in-redirection-urls.html

    And here is the current home page for Siteminder documentation (this lands you on the 12.8 version, but you can access all versions of the docs from the Version drop-down menu):

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8.html

    Regards,
    Pete