Security team's Bug Bounty program identified vulnerabilities with the fcc form logon pages. The information was made public and requires an immediate resolution.
e.g.
During default form fcc login, When username or other query parameter was injected with %5C, browser will trigger a pop up script.
[07/30/2020][14:50:47][327496][314056][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][000000000000000000000000ea08f50a-4ff48-5f231687-4cac8-017e440d][*10.x.x.x][][agent1][][][Resolved URL: '/siteminderagent/forms/smpwservices.fcc?username=test123%5Cx3Cscript%5Cx3Ealert%5Cx28document.domain%5Cx29%5Cx3C%5Cx2Fscript%5Cx3E&SMAUTHREASON=7'.].
Release : ALL
Component : SITEMINDER -WEB AGENT
Cross Site Scripting vulnerabilities are common with any web based application.
Customer can choose multiple ways to mitigate, starting by following the documentation: Help Prevent Attacks
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html
From siteminder side, customer can mitigate this by implementing ACO CSSChecking (Yes), Add \ into badcsschars, so badcsschars=<,',>,\
Then, user will not get pop up, should get error 403 access denied. This technically solves it directly.
Next, customer can implement ACO parameter called SecureURLs (Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL). This option often is not practical to implement, due to large number of apps and agents are already integrated in production.
While badcsschars blocks input risky chars, customer can further encode the output of fcc form url, with below ACO implemented:
FCCHTMLEncoding=no,
FCCHTMLEncodingChars=%00-%2f,%3a-%40,%5b-%60,%7b-%7f
When FCCHTMLEncoding=no, then the characters listed in FCCHTMLEncodingChars are HTML-encoded.
The range list in FCCHTMLEncodingChars covers the following and plus more.
%22 "
%23 #
%26 &
%27 '
%28 (
%29 )
%3c <
%3e >
%5c \
While FCCHTMLEncodingChars helped with the immediate need to resolve the cross site scripting issue. However, this particular customer views "blacklisting" aka "filtering bad values" is not permissible by their internal standard. Their requirement for proper remediation fix is to encode all non-alphanumeric characters upon output. Also, validate all input against a whitelist of acceptable values.
That final requirement will not be met by current siteminder product feature. Customer will raise enhancement request via community IDEA process.