Identity Portal security scan reports vulnerabilities in SIGMA resourcses
search cancel

Identity Portal security scan reports vulnerabilities in SIGMA resourcses

book

Article ID: 280806

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

A security scan may report the following vulnerabilities on the Identity Portal server.

  • Source code disclosure
  • Input returned in response (reflected)
  • Cacheable HTTPS response
  • DOM data manipulation (DOM-based)

 

 

 

Environment

Identity Portal 14.4.x

Resolution

  • Source code disclosure
    • "/sigma/js/ip/shared.js" has been "uglified" therefore there is minimized risk of exposure.
    • Sigma applies WebPack uglification (obfuscation) technique on the "/sigma/js/ip/shared.js" file to ensure the source code is protected and no malicious attacks can take place by accessing and replaying the source code functions. 
    • With the uglification process, source code gets obfuscated into non-readable format. Obfuscation mapping can be translated by the server when the browser initiates the functional requests. Some of the static content that's part of static content templates can be human readable but that has nothing to do with functional aspects of the application. 
    • Beyond obfuscation, there are no additional techniques required to ensure the source code protection in this case. 
    • Regarding any specific reference to "<%=datasetLabel%>", the Sigma User Interface is built using AngularJS and nowhere does it use ASP or JSP. The datasetLabel for chart must be coming from a third party library which is not being used anywhere in the sigma implementation. Hence, it's a false positive.
    • No further action is required; remediation is not required.

 

  • Input returned in response (reflected)
    • This may be reported for public tasks, for example, Forgotten Password, that are not associated with a session.
    • This is required for tracking to carry out subsequent action.
    • No further action is required; remediation is not required.

 

  • Cacheable HTTPS response
    • The reported resources are static and of general content required for page rendering, for example...
    •     /sigma
          /sigma/assets/CA_IP_logo_grey_outline.29d275e387437e2f4db0d7f2b4b570df.svg
          /sigma/js/i18n/languages/en.json
          /sigma/rest/resources/JSON/en.json
    • We shouldn't block these resources as they are just UI static resources and required to be accessed by the UI pages, for example...
      • The resource, /sigma/js/i18n/languages/en.json comprises localization static strings, they are ONLY UI labels, to be displayed on the page. It doesn't comprise any dynamic or sensitive data.
      • The resource mentioned, /sigma/rest/resources/JSON/en.json is NOT accessible. 404 Not Found is being thrown when accessed. Even this file comprises the static literals (UI labels) to be rendered on the page. 
    • No further action is required; remediation is not required.

 

  • DOM data manipulation (DOM-based)
    • For example,  https://testpwreset.server.sample/sigma/app/index.
    • We block the default HTML window/document functions 'search', 'href', 'hash' ONLY if the sigma page is failing to block the injected values and if it's rendering them back on the page. In the provided scenarios, the page is failing with '400 Bad Request'. 
    • No further action is required; remediation is not needed.
Powered by Wolken Software