Symantec Access Management

In our environment, we are using CA SPS  and SiteMinder. Our Vulnerability Management team has identified that the X-FRAME-OPTIONS header is missing from SiteMinder protected resources and also from .fcc login page. 
After referring to below 2 links, 

• https://community.broadcom.com/browse/blogs/blogviewer?BlogKey=d73b85a7-4538-479e-828f-abba0567383f&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295 
• https://iamtechtips.com/web-agent-security-vulnerability-remediation-techniques/ 

I added X-FRAME-OPTIONS ACO parameter with value specified as "DENY" and I am able to see the header now being shown for protected resources. 
However, the header is still missing from the .fcc login page itself. 
Are any additional configurations required for the header to be seen on the login page? Please advise. 

Issue : Security Headers missing from login .fcc page

Environment Details : 
SiteMinder WebAgent - 12.52
SiteMinder Policy Server - 12.8

Fiddler Capture : 


------------------------------
Samarth Upasani
------------------------------

Is it possible that the login page is cached ? (in case you have a network device between browser and Webserver) 
Also I cannot see the screen shots properly , do you have the login page served from the same Webserver / agent ? 

Have you tried setting the Header on the Webserver itself ? 

Thanks 
Joe
Original Message:
Sent: 11-13-2019 10:57 AM
From: Samarth Upasani
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

In our environment, we are using CA SPS  and SiteMinder. Our Vulnerability Management team has identified that the X-FRAME-OPTIONS header is missing from SiteMinder protected resources and also from .fcc login page.
After referring to below 2 links,

• https://community.broadcom.com/browse/blogs/blogviewer?BlogKey=d73b85a7-4538-479e-828f-abba0567383f&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295 
• https://iamtechtips.com/web-agent-security-vulnerability-remediation-techniques/ 

I added X-FRAME-OPTIONS ACO parameter with value specified as "DENY" and I am able to see the header now being shown for protected resources.
However, the header is still missing from the .fcc login page itself.
Are any additional configurations required for the header to be seen on the login page? Please advise.

Issue : Security Headers missing from login .fcc page

Environment Details : 
SiteMinder WebAgent - 12.52
SiteMinder Policy Server - 12.8

Fiddler Capture : 

------------------------------
Samarth Upasani
------------------------------

Hi Josheph, 

I have uploaded a word file which has those screenshots now. 
The login page is served from the same webserver. Also, from webagent trace logs (logs below), it's seen that the login page is served from the disk which means the network components are not serving the cached login page. 

[11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' not found in cache.]
[11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Serving form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' from disk.]

Above logs are after flushing cache. 

How can I add header on WebServer level? We are using CA Access Gateway which is Apache. Should this be done in httpd.conf file?
Original Message:
Sent: 11-13-2019 12:30 PM
From: Joseph Rahme
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

Is it possible that the login page is cached ? (in case you have a network device between browser and Webserver)
Also I cannot see the screen shots properly , do you have the login page served from the same Webserver / agent ?

Have you tried setting the Header on the Webserver itself ?

Thanks
Joe
Original Message:
Sent: 11-13-2019 10:57 AM
From: Samarth Upasani
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

In our environment, we are using CA SPS  and SiteMinder. Our Vulnerability Management team has identified that the X-FRAME-OPTIONS header is missing from SiteMinder protected resources and also from .fcc login page.
After referring to below 2 links,

• https://community.broadcom.com/browse/blogs/blogviewer?BlogKey=d73b85a7-4538-479e-828f-abba0567383f&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295 
• https://iamtechtips.com/web-agent-security-vulnerability-remediation-techniques/ 

I added X-FRAME-OPTIONS ACO parameter with value specified as "DENY" and I am able to see the header now being shown for protected resources.
However, the header is still missing from the .fcc login page itself.
Are any additional configurations required for the header to be seen on the login page? Please advise.

Issue : Security Headers missing from login .fcc page

Environment Details : 
SiteMinder WebAgent - 12.52
SiteMinder Policy Server - 12.8

Fiddler Capture : 

------------------------------
Samarth Upasani
------------------------------

ok Thank you .
yes you can set it to be returned from Apache on all requests as such 

Set the following in httpd.conf and restart Access Gateway.

Header always set X-FRAME-OPTIONS: "DENY"

That should take care of it , let me know what you get 
Joe
Original Message:
Sent: 11-13-2019 01:11 PM
From: Samarth Upasani
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

Hi Josheph,

I have uploaded a word file which has those screenshots now.
The login page is served from the same webserver. Also, from webagent trace logs (logs below), it's seen that the login page is served from the disk which means the network components are not serving the cached login page.

[11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' not found in cache.]
[11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Serving form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' from disk.]

Above logs are after flushing cache.

How can I add header on WebServer level? We are using CA Access Gateway which is Apache. Should this be done in httpd.conf file?
Original Message:
Sent: 11-13-2019 12:30 PM
From: Joseph Rahme
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

Is it possible that the login page is cached ? (in case you have a network device between browser and Webserver)
Also I cannot see the screen shots properly , do you have the login page served from the same Webserver / agent ?

Have you tried setting the Header on the Webserver itself ?

Thanks
Joe
Original Message:
Sent: 11-13-2019 10:57 AM
From: Samarth Upasani
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

In our environment, we are using CA SPS  and SiteMinder. Our Vulnerability Management team has identified that the X-FRAME-OPTIONS header is missing from SiteMinder protected resources and also from .fcc login page.
After referring to below 2 links,

• https://community.broadcom.com/browse/blogs/blogviewer?BlogKey=d73b85a7-4538-479e-828f-abba0567383f&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295 
• https://iamtechtips.com/web-agent-security-vulnerability-remediation-techniques/ 

I added X-FRAME-OPTIONS ACO parameter with value specified as "DENY" and I am able to see the header now being shown for protected resources.
However, the header is still missing from the .fcc login page itself.
Are any additional configurations required for the header to be seen on the login page? Please advise.

Issue : Security Headers missing from login .fcc page

Environment Details : 
SiteMinder WebAgent - 12.52
SiteMinder Policy Server - 12.8

Fiddler Capture : 

------------------------------
Samarth Upasani
------------------------------