search cancel

Cross-Site Scripting (XSS) vulnerability with smpwservices.fcc

book

Article ID: 252583

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Security vulnerability is reported after a server vulnerability scan.

The page referencing is an OOTB page and auth scheme.

Severity Rating: Medium

https://webagent.host.com/siteminderagent/forms/smpwservices.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7

Vulnerability Summary: Cross-Site Scripting (XSS) 

Impact:

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application.

Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server.
Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the
site, the user may be more likely to trust the request and actually install the malware.

Environment

All policy server releases: 12.8

Web agent:12.52

Cause

Cross Site Scripting vulnerabilities are common with any web based application.
Customer can choose multiple ways to mitigate, starting by following the documentation: Help Prevent Attacks
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

Resolution

1. During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, do the following procedures per documentation (Remove the Login ID When Redirecting for Password Services):

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html

2. From SiteMinder agent side, implement ACO CSSChecking (Yes), Add \ into badcsschars, so badcsschars=<,',>,\
Then, user will not get pop up, should get error 403 access denied instead.  In this particular use case, could also add ( and ) in badcsschars if desired.
Option 2 is the most popular and effective mitigation choice.

3. Additionally, one can implement ACO parameter called SecureURLs (Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL). This option often is not practical to implement, due to large number of apps and agents are already integrated in production. However, it is the ultimate solution.

SecureURLs is used for encrypting query string parameters in redirection URLs within a single sign-on environment, when doing so, ensure that all Web Agents in the single sign-on environment have the SecureURL parameter set to the same value.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/forms-authentication/how-to-configure-an-agent-to-support-html-forms-authentication/configure-advanced-fcc-settings/encrypt-query-string-parameters-in-redirection-urls.html

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html