When running a Web Agent Option Pack, when user accesses resource
/affwebservices/public/samlcc, the Target parameter is vulnerable to
"Open Redirect", the http request can be modified to contain some
arbitary URL redirecting the user to this modified URL.
Web Agent Option Pack 12.52SP1CR10 on Tomcat on Linux
At first glance, there's an ACO parameter you can set for the Web
Agent Option Pack to force Web Agent Option Pack to validate the
TARGET value against a white list (1)(2)(3).
So the GET action to an unknown target "mybadserver.mybaddomain.com",
will be validated by the Web Agent Option Pack before given the
response to the browser.
GET /affwebservices/public/samlcc?TARGET=http://mybadserver.mybaddomain.com&SAMLart=dsF1csdwedwdsads44dsa4w4wd44dslN5g%2BHadj2f2IwfY
(1)
Web Agent Option Pack :: ACO : Full List
ValidFedTargetDomain
https://knowledge.broadcom.com/external/article?articleId=49319
(2)
ValidFedTargetDomain
Defines valid domains for your federated environment See Agent
Setting for Federation Domains.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html
(3)
SAML Credential Collector Service URL (SAML 1.x)
The SAML Credential Collector service assists in consuming SAML 1.x assertions.
Default URL for this Service
https://consumer_server:port/affwebservices/public/samlcc
consumer_server:port
Identifies the web server and port hosting the Web Agent Option
Pack or CA Access Gateway.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/legacy-federation/federation-web-services-urls-used-by-the-product.html