[Pentest Finding] Open Redirect Vulnerability in affwebservices

book

Article ID: 191744

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Web Agent Option Pack and we've found a vulnerability.


When user accesses resource /affwebservices/public/samlcc, the Target
parameter is vulnerable to "Open Redirect", the http request can be
modified to contain some arbitary URL redirecting the user to this
modified URL.

How can we fix this ?

Environment


Web Agent Option Pack 12.52SP1CR10 on Tomcat on Linux

Resolution


At first glance, there's an ACO parameter you can set for the Web

Agent Option Pack to force Web Agent Option Pack to validate the
TARGET value against a white list :

  Web Agent Option Pack :: ACO : Full List

    ValidFedTargetDomain

  https://knowledge.broadcom.com/external/article?articleId=49319

  ValidFedTargetDomain 

    Defines valid domains for your federated environment See Agent
    Setting for Federation Domains.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html

  SAML Credential Collector Service URL (SAML 1.x)

   The SAML Credential Collector service assists in consuming SAML 1.x assertions.

     Default URL for this Service

     https://consumer_server:port/affwebservices/public/samlcc

     consumer_server:port

     Identifies the web server and port hosting the Web Agent Option
     Pack or CA Access Gateway.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/legacy-federation/federation-web-services-urls-used-by-the-product.html

So the GET action to an unknown target "mybadserver.mybaddomain.com",
will be validated by the Web Agent Option Pack before given the
response to the browser.

  GET /affwebservices/public/samlcc?TARGET=http://mybadserver.mybaddomain.com&SAMLart=dsF1csdwedwdsads44dsa4w4wd44dslN5g%2BHadj2f2IwfY