Cross-Site Scripting (XSS) vulnerability with smpwservices.fcc
search cancel

Cross-Site Scripting (XSS) vulnerability with smpwservices.fcc

book

Article ID: 252583

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Security vulnerability is reported after a server vulnerability scan.

The page referenced is an OOTB page and authscheme.

Severity Rating: Medium

https://example.example.com/siteminderagent/forms/smpwservices.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7

Note: Here 'example.example.com' is WebAgent Host FQDN.

Vulnerability Summary: Cross-Site Scripting (XSS) 

Impact:

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application.

Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server.
Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the
site, the user may be more likely to trust the request and actually install the malware.

Environment

All policy server releases: 12.8

Web agent:12.52

Cause

Cross Site Scripting vulnerabilities are common with any web based application.
 
Customer can choose multiple ways to mitigate, starting by following the documentation: Help Prevent Attacks
 

Resolution

1. During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, do the following procedures per the documentation (Remove the Login ID When Redirecting for Password Services): How to Configure Password Policies

2. From the SiteMinder agent side, implement ACO CSSChecking (Yes), Add \ into badcsschars, so badcsschars=<,',>,\
Then, the user will not get a pop-up and should get the error 403 access denied instead.  In this particular use case, could also add ( and ) in badcsschars if desired.
Option 2 is the most popular and effective mitigation choice.

3. Additionally, one can implement an ACO parameter called SecureURLs (Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL). This option often is not practical to implement, due to a large number of apps and agents are already integrated with production. However, it is the ultimate solution.

SecureURLs is used for encrypting query string parameters in redirection URLs within a single sign-on environment, when doing so, ensure that all Web Agents in the single sign-on environment have the SecureURLs parameter set to the same value.

See Encrypt Query String Parameters in Redirection URLs.