Advanced Authentication Admin console - Penetration testing -- token in url
search cancel

Advanced Authentication Admin console - Penetration testing -- token in url

book

Article ID: 269378

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort) CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

The scan report suggests a low vulnerability "Token in URL"
 

Vulnerability Description

The token has been observed being passed in the URL as a GET parameter. Sensitive cryptographic information is not supposed to be present in the URL.

Control Category

Recommended

Risk

Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Suggestive Mitigation Steps

Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Security Standard

 

Clause

FIL-ASTS 1039

Vulnerability Mechanism

Cryptography

Vulnerability Classification

 

Code Sample

 

Document URL

 

Finding Code

26602

Likelihood

Low

Impact

Low

Environment

Release : 9.1

Resolution

Comments from the engineering team,

1. We see that the vulnerability is in the Admin Console application which is an internal application used by the customer and not the externally faced application. Also, when we check the severity of the vulnerabilities they all stated as "LOW" as per the penetration test document.

So, we consider these as a minimal risk because of an internal application and the severity of the vulnerability.

2.We do not have any plans to fix this issue due to the following reasons.

Below are the suggested mitigation for the reported use cases (Admin Console issue)

  • AA Admin console portal is recommended to run on https which is secured communication.
  • AA Admin Console Portal is used by only Advanced Authentication administrators to set up and configure Strong Auth and Risk Auth. And this AA Admin console  always run within the DMZ environment which are customer secured domains and it is never exposed to end users or for public domain usages. 

 

Workaound:

The problem only be seen when configure "LDAP User Password" for "Administrator Authentication Mechanism",  "Basic User Password" won't use token in url. 

So another solution is, login as masteradmin, configure the organization, set "Administrator Authentication Mechanism" as  "Basic User Password".

Powered by Wolken Software