Login.fcc vulnerable to Cross-Site Request Forgery (XSRF/CSRF) Protection in Web Agent

search cancel

Login.fcc vulnerable to Cross-Site Request Forgery (XSRF/CSRF) Protection in Web Agent

book

Article ID: 195234

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

The SSO login page is hosted on a WebLogic Application Server.

The credentials entered on the login page are submitted to login.fcc hosted on the Web Agent installed on the Web Server.

Hence, the login page is vulnerable to XSRF/CSRF attacks.

Resolution

To solve this issue, see "Vulnerability 4: Cross-Site Request Forgery (XSRF/CSRF)" (1).

From the above, see "Use a Relative Target for Credential Collector Redirects" and "Define Valid Target Domains" for more information on ValidTargetDomain and TargetAsRelativeURI (2).

Also, see "Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages" (3).

Additional Information

Feedback

thumb_up Yes

thumb_down No