search cancel

WebAgent javascript variable values vulnerability on login.fcc

book

Article ID: 215795

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Web Agent, when this one sends login.fcc, the page code
is vulnerable to XSS vulnerability injection as one can insert in the
FORM (1) :

  <script type="text/javascript">
  var frmSubmit = 'true';alert(document.domain);'';

Internal Security team mentioned :

  We recommend validate all the user inputs that are supplied while
  submitting the Login form.
  
  If the expected value is "true", server should validate if the
  submitted form has value "true" and no other special characters
  appended.

  If the value is changed other than "true", server can
  overwrite/blank the modified value.

 

Cause

 

At first glance, in order to validate all users's inputs, Web Agent
has 2 ACO Parameters you can configure : BadFormChars (2) and
fcchtmlencoding (3).

 

Resolution

 

Enable for the Web Agent both ACO Parameters : BadFormChars and
fcchtmlencoding.

 

Additional Information

 

(1)

    Cross Site Scripting Prevention Cheat Sheet
    https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

(2)

    Enable Bad Form Characters

      The following characters are commonly used in cross-site scripting
      attacks:

      - Left and right brackets (< >)
      - ampersand (&)
      - quotation marks (")

      If you want to use scripting code for presenting forms to a user
      during an authentication challenge, enable the following parameter
      to configure the Web Agent to block any special characters before
      sending them to an HTML form:

      BadFormChars

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html#concept.dita_a4f1c9b394b5b45650256db5105c5886a242345b_PreventCrossSiteScriptingAttacksinWebAgentFCCPages

(3)

    Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages

      To prevent cross-site scripting attacks against the web agent FCC
      pages, use HTML encoding to ensure that your FCC variable data is
      rendered correctly.

      HTML encoding ensures that the characters are treated as their
      literal value and not as HTML syntax. Encoding ensures that the
      damaging cross-site scripting syntax is rendered as literal text as
      it must appear and that the browser does not execute the code while
      rendering the HTML form. You can encode all the syntax that could be
      misused during an attack.

      The fcchtmlencoding parameter instructs an agent to apply an HTML
      encoding algorithm to all the values inserted into the FCC
      variables that have the following syntax:

$$varname$$

      If the characters that are traditionally blocked are necessary in
      the FCC data, then enable the fcchtmlencoding parameter.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html#concept.dita_a4f1c9b394b5b45650256db5105c5886a242345b_PreventCrossSiteScriptingAttacksinWebAgentFCCPages