Determining the origin of a XSS attack attempt in CA PAM
search cancel

Determining the origin of a XSS attack attempt in CA PAM

book

Article ID: 191208

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

CA PAM has a security option which may be activated by Accessing Configuration --> Security --> XSS Checks



This setting allows CA PAM to detect Cross-Site-Scripting attacks (XSS) as described for instance in the present website.

When this setting is ON and CA PAM considers it has been the victim of any such attack, the following information will be displayed in the session logs

2020/05/10 17:55:02,security,connection, --, --, --, --, --, --, --, --, --, --,Http handler, --,PAM-SPFD-0018: Preventing Cross Site Scripting Attempt,0, --,,0

However, no information is provided about the originating URL or application.

This article indicates how to obtain such information





Environment

CA Privileged Access Manager, all versions above 3.2.X

Resolution

The information about the IP from which the suspected attacks are coming is logged in log xcd_sfpd.log inside the /var/logs folder of the appliance which has detected the attack. Lines like the following will be logged

2020-05-10 17:55:01  93741 INFO  run: New connection handler. (5, <IP Address>:3121, 120)

2020-05-10 17:55:01  93741 INFO  getTLSLowVersion: TLS low-version: support

2020-05-10 17:55:01  93741 INFO  initializeSSL: SSL_CTX_load_verify_locations and SSL_CTX_set_default_verify_paths

2020-05-10 17:55:02  93741 INFO  HandshakeSSL: SSL connection using AES256-SHA (TLSv1.2)

2020-05-10 17:55:02  93741 INFO  run: Policy: sessionID=,sequenceNumber=,userID=,userName=,taskName=,serviceName=,serviceType=,serviceMainframeProtocol=...

2020-05-10 17:55:02  93741 INFO  isXSSattempt: Preventing Cross Site Scripting Attempt From: <IP Address>

2020-05-10 17:55:02  93741 INFO  executeInternal: request [wget -O - --no-check-certificate 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=authenticateUser&GK_IN_PROXY_MODE=1&authMethod=LOCAL_PROCESS&userName=xcd_local&userPassword=5c671b278a14b2a61f2e3ba6458e72714641b2cb']

2020-05-10 17:55:02  93741 INFO  execute: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuditService&serviceMethod=createLogByKey&deviceId=0&deviceName=&domName=&messageCode=PAM-SPFD-0018&port=0&serviceName=&sourceIP=&taskName=Http handler&transType=connection&userName=security']

2020-05-10 17:55:02  93741 INFO  executeInternal: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=logout']

Thus the IP for the machine which is suspected of initiating the attack will be logged, as will be the different requests which are done from inside PAM before and afterwards, tracked by transaction number.

The xcd_spfd is part of the diagnostics files created when hitting the System Configuration button in the Diagnostics --> Download page and it is therefore not directly accessible by every user.

In help is required determining the source of the XSS attack, please download the session logs covering the time of the incident as well as the Diagnostics logs (logs.bin) which can be obtained obtain by hitting the said button, and open a case with Broadcom Support