Determining the origin of a XSS attack attempt in CA PAM
Article ID: 191208
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
CA PAM has a security option which may be activated by Accessing Configuration --> Security --> XSS Checks
This setting allows CA PAM to detect Cross-Site-Scripting attacks (XSS) as described for instance in the present website.
When this setting is ON and CA PAM considers it has been the victim of any such attack, the following information will be displayed in the session logs
2020/05/10 17:55:02,security,connection, --, --, --, --, --, --, --, --, --, --,Http handler, --,PAM-SPFD-0018: Preventing Cross Site Scripting Attempt,0, --,,0
However, no information is provided about the originating URL or application.
This article indicates how to obtain such information
This setting allows CA PAM to detect Cross-Site-Scripting attacks (XSS) as described for instance in the present website.
When this setting is ON and CA PAM considers it has been the victim of any such attack, the following information will be displayed in the session logs
2020/05/10 17:55:02,security,connection, --, --, --, --, --, --, --, --, --, --,Http handler, --,PAM-SPFD-0018: Preventing Cross Site Scripting Attempt,0, --,,0
However, no information is provided about the originating URL or application.
This article indicates how to obtain such information
Environment
CA Privileged Access Manager, all versions above 3.2.X
Resolution
The information about the IP from which the suspected attacks are coming is logged in log xcd_sfpd.log inside the /var/logs folder of the appliance which has detected the attack. Lines like the following will be logged
2020-05-10 17:55:01 93741 INFO run: New connection handler. (5, 5.62.62.153:3121, 120)
2020-05-10 17:55:01 93741 INFO getTLSLowVersion: TLS low-version: support
2020-05-10 17:55:01 93741 INFO initializeSSL: SSL_CTX_load_verify_locations and SSL_CTX_set_default_verify_paths
2020-05-10 17:55:02 93741 INFO HandshakeSSL: SSL connection using AES256-SHA (TLSv1.2)
2020-05-10 17:55:02 93741 INFO run: Policy: sessionID=,sequenceNumber=,userID=,userName=,taskName=,serviceName=,serviceType=,serviceMainframeProtocol=...
2020-05-10 17:55:02 93741 INFO isXSSattempt: Preventing Cross Site Scripting Attempt From: 5.62.62.153
2020-05-10 17:55:02 93741 INFO executeInternal: request [wget -O - --no-check-certificate 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=authenticateUser&GK_IN_PROXY_MODE=1&authMethod=LOCAL_PROCESS&userName=xcd_local&userPassword=5c671b278a14b2a61f2e3ba6458e72714641b2cb']
2020-05-10 17:55:02 93741 INFO execute: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuditService&serviceMethod=createLogByKey&deviceId=0&deviceName=&domName=&messageCode=PAM-SPFD-0018&port=0&serviceName=&sourceIP=&taskName=Http handler&transType=connection&userName=security']
2020-05-10 17:55:02 93741 INFO executeInternal: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=logout']
Thus the IP for the machine which is suspected of initiating the attack will be logged, as will be the different requests which are done from inside PAM before and afterwards, tracked by transaction number.
The xcd_spfd is part of the diagnostics files created when hitting the System Configuration button in the Diagnostics --> Download page and it is therefore not directly accessible by every user.
In help is required determining the source of the XSS attack, please download the session logs covering the time of the incident as well as the Diagnostics logs (logs.bin) which can be obtained obtain by hitting the said button, and open a case with Broadcom Support
2020-05-10 17:55:01 93741 INFO run: New connection handler. (5, 5.62.62.153:3121, 120)
2020-05-10 17:55:01 93741 INFO getTLSLowVersion: TLS low-version: support
2020-05-10 17:55:01 93741 INFO initializeSSL: SSL_CTX_load_verify_locations and SSL_CTX_set_default_verify_paths
2020-05-10 17:55:02 93741 INFO HandshakeSSL: SSL connection using AES256-SHA (TLSv1.2)
2020-05-10 17:55:02 93741 INFO run: Policy: sessionID=,sequenceNumber=,userID=,userName=,taskName=,serviceName=,serviceType=,serviceMainframeProtocol=...
2020-05-10 17:55:02 93741 INFO isXSSattempt: Preventing Cross Site Scripting Attempt From: 5.62.62.153
2020-05-10 17:55:02 93741 INFO executeInternal: request [wget -O - --no-check-certificate 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=authenticateUser&GK_IN_PROXY_MODE=1&authMethod=LOCAL_PROCESS&userName=xcd_local&userPassword=5c671b278a14b2a61f2e3ba6458e72714641b2cb']
2020-05-10 17:55:02 93741 INFO execute: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuditService&serviceMethod=createLogByKey&deviceId=0&deviceName=&domName=&messageCode=PAM-SPFD-0018&port=0&serviceName=&sourceIP=&taskName=Http handler&transType=connection&userName=security']
2020-05-10 17:55:02 93741 INFO executeInternal: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=logout']
Thus the IP for the machine which is suspected of initiating the attack will be logged, as will be the different requests which are done from inside PAM before and afterwards, tracked by transaction number.
The xcd_spfd is part of the diagnostics files created when hitting the System Configuration button in the Diagnostics --> Download page and it is therefore not directly accessible by every user.
In help is required determining the source of the XSS attack, please download the session logs covering the time of the incident as well as the Diagnostics logs (logs.bin) which can be obtained obtain by hitting the said button, and open a case with Broadcom Support
Attachments
Feedback
Yes
No
Powered by
