CSRF Protection for SSO Login Page fcc in Web Agent
search cancel

CSRF Protection for SSO Login Page fcc in Web Agent

book

Article ID: 195234

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

The SSO login page is hosted on WebLogic Application Server. The credentials entered on the login page are submitted to login.fcc hosted on Web Agent installed on Web Server. Hence the login page is vulnerable to CSRF attack.

 

Resolution

 

To solve this issue, see "Vulnerability 4: Cross-Site Request Forgery (XSRF/CSRF)" (1).

From the above, see "Use a Relative Target for Credential Collector Redirects" and "Define Valid Target Domains" for more information on ValidTargetDomain and TargetAsRelativeURI (2).

Also, see "Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages" (3).

 

Additional Information

 

(1)

    Tech Tip : CA Single Sign-On :Web Agent : Security vulnerability remediation techniques
    

(2)

    Define Valid Target Domains
   

(3)

   Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages
   

Powered by Wolken Software