search cancel

WebAgent javascript variable values vulnerability on login.fcc


Article ID: 215795


Updated On:


CA Single Sign On Agents (SiteMinder) SITEMINDER



When running a Web Agent, when this one sends login.fcc, the page code
is vulnerable to XSS vulnerability injection as one can insert in the
FORM (1) :

  <script type="text/javascript">
  var frmSubmit = 'true';alert(document.domain);'';

Internal Security team mentioned :

  We recommend validate all the user inputs that are supplied while
  submitting the Login form.
  If the expected value is "true", server should validate if the
  submitted form has value "true" and no other special characters

  If the value is changed other than "true", server can
  overwrite/blank the modified value.




At first glance, in order to validate all users's inputs, Web Agent
has 2 ACO Parameters you can configure : BadFormChars (2) and
fcchtmlencoding (3).




Enable for the Web Agent both ACO Parameters : BadFormChars and


Additional Information



    Cross Site Scripting Prevention Cheat Sheet


    Enable Bad Form Characters

      The following characters are commonly used in cross-site scripting

      - Left and right brackets (< >)
      - ampersand (&)
      - quotation marks (")

      If you want to use scripting code for presenting forms to a user
      during an authentication challenge, enable the following parameter
      to configure the Web Agent to block any special characters before
      sending them to an HTML form:



    Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages

      To prevent cross-site scripting attacks against the web agent FCC
      pages, use HTML encoding to ensure that your FCC variable data is
      rendered correctly.

      HTML encoding ensures that the characters are treated as their
      literal value and not as HTML syntax. Encoding ensures that the
      damaging cross-site scripting syntax is rendered as literal text as
      it must appear and that the browser does not execute the code while
      rendering the HTML form. You can encode all the syntax that could be
      misused during an attack.

      The fcchtmlencoding parameter instructs an agent to apply an HTML
      encoding algorithm to all the values inserted into the FCC
      variables that have the following syntax:


      If the characters that are traditionally blocked are necessary in
      the FCC data, then enable the fcchtmlencoding parameter.