search cancel

XSS vulnerabilities with DevTest 10.5.0 IAM


Article ID: 189230


Updated On:


CA Cloud Test Mobile CA Application Test


We received the 2 below potential vulnerability notifications.  Please let us know if DevTest 10.5 is good to go or needs to be patched.

CVE-2014-3656 - JBossKeycloak login-status-iframe.html Endpoint origin Parameter Reflected XSS

CVE-2013-6495 - JBossWebBayeux has reflected XSS

Below is all the info we received for the 2 items:


Discussion: JBoss Keycloak contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the login-status-iframe.html endpoint does not validate input to the 'origin' parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.  

Recommended Remediation: For information please refer to the following site(s):

Product: redhat.jboss_keycloak.-
Alert Publication Date: 12/10/2019


Discussion: JBossWeb Bayeux has reflected XSS  
Recommended Remediation: For information please refer to the following site(s):

Product: redhat.jboss_enterprise_application_platform.6.0.0 up to (excluding) 6.1.1, redhat.jboss_portal.6.0.0 up to (excluding) 6.1.0
Alert Publication Date: 12/11/2019



Release : 10.5.1

Component : CA Service Virtualization


XSS vulnerability.


Please follow the below instructions to resolve the XSS vulnerabilities in IAM:

1. Go to DEVTEST_HOME/IdentityAccessManager/standalone/configuration folder.
2. Take the back up of standalone.xml
3. Open standalone.xml of configuration folder.
4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host>
5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines:
    <filter-ref name="X-Frame-Options"/>
    <filter-ref name="x-xss-protection"/>
    <filter-ref name="strict-transport-security"/>
    <filter-ref name="content-security-policy"/>
    <filter-ref name="x-Content-type-options"/>
6- Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block
       <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
       <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
       <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
       <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
       <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
7. Save and exit.

Re-run the scan and let me know if this resolves the vulnerability.