Determining the origin of a XSS attack attempt in CA PAM
search cancel

Determining the origin of a XSS attack attempt in CA PAM

book

Article ID: 191208

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

CA PAM has a security option which may be activated by Accessing Configuration --> Security --> XSS Checks



This setting allows CA PAM to detect Cross-Site-Scripting attacks (XSS) as described for instance in the present website.

When this setting is ON and CA PAM considers it has been the victim of any such attack, the following information will be displayed in the session logs

2020/05/10 17:55:02,security,connection, --, --, --, --, --, --, --, --, --, --,Http handler, --,PAM-SPFD-0018: Preventing Cross Site Scripting Attempt,0, --,,0

However, no information is provided about the originating URL or application.

This article indicates how to obtain such information





Resolution

The information about the IP from which the suspected attacks are coming is logged in log xcd_spfd.log inside the /var/logs folder of the appliance which has detected the attack. Lines like the following will be logged

2020-05-10 17:55:01  93741 INFO  run: New connection handler. (5, <IP Address>:3121, 120)

2020-05-10 17:55:01  93741 INFO  getTLSLowVersion: TLS low-version: support

2020-05-10 17:55:01  93741 INFO  initializeSSL: SSL_CTX_load_verify_locations and SSL_CTX_set_default_verify_paths

2020-05-10 17:55:02  93741 INFO  HandshakeSSL: SSL connection using AES256-SHA (TLSv1.2)

2020-05-10 17:55:02  93741 INFO  run: Policy: sessionID=,sequenceNumber=,userID=,userName=,taskName=,serviceName=,serviceType=,serviceMainframeProtocol=...

2020-05-10 17:55:02  93741 INFO  isXSSattempt: Preventing Cross Site Scripting Attempt From: <IP Address>

2020-05-10 17:55:02  93741 INFO  executeInternal: request [wget -O - --no-check-certificate 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=authenticateUser&GK_IN_PROXY_MODE=1&authMethod=LOCAL_PROCESS&userName=xcd_local&userPassword=5c671b278a14b2a61f2e3ba6458e72714641b2cb']

2020-05-10 17:55:02  93741 INFO  execute: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuditService&serviceMethod=createLogByKey&deviceId=0&deviceName=&domName=&messageCode=PAM-SPFD-0018&port=0&serviceName=&sourceIP=&taskName=Http handler&transType=connection&userName=security']

2020-05-10 17:55:02  93741 INFO  executeInternal: request [wget -O - --no-check-certificate --header="Cookie: PHPSESSID=30f8bcec591fa59a89d2203c843d6cd9" --header='User-Agent: Java' 'http://localhost:8000/serviceController.php?dataEncoding=http_get&service=AuthenticationService&serviceMethod=logout']

Thus the IP for the machine which is suspected of initiating the attack will be logged, as will be the different requests which are done from inside PAM before and afterwards, tracked by transaction number.

The SPFD log for the current day (starting at 6:25AM UTC) can be download by a PAM administrator from the Configuration > Diagnostics > Diagnostic Logs > Download page.

If the log has rolled over since the message was written, but the event occurred within the past 5 days, please download the session logs (Download button in the top right of the Sessions > Logs page) as well as the system logs (logs.bin), which can be obtained by hitting the Download button to the right of the Download System Diagnostics label on the Download page mentioned above, after setting the "Past Days" parameter to 5. Make sure to click the button only once, even though it may take a while before you see the file being saved. Then open a case with Broadcom Support and attach both system and session logs.