Symantec Access Management

  • Private Community

  • 1.  Protecting FCC against attacks using encoding/decoding

    Broadcom Employee
    Posted Oct 09, 2013 02:48 PM

    There are customers that prefer to let the application handle cross-site scripting attacks. The FCC is a siteminder applications – this tip describes how to protect the FCC using existing siteminder mechanisms that are part of the language that make the FCCC files programmable.

    SiteMinder FCC files supports three types of encoding and decoding functions.

    smencode()/smdecode()
    urlencode()/urldecode()
    b64encode()/b64decode()

    Basically, anywhere you have $$variable$$, you modify the string to be $$encode function(variable)$$. So $$target$$ becomes $$urlencode(target)$$, for example. Then, to make sure that the variable is properly decoded after a post (important for hidden variables!!), place @variable=%decode function(variable)% at the top of the file in the list of FCC directives. Following my example, you’d add @target=%urldecode(target)%. See the attached login.fcc file for a full working example of how this works. I encourage your team to make the changes in their test environment and retry their XSS attacks.

    This approach provides a fully programmable, variable-by-variable, approach to handling custom data insertion in SiteMinder FCC forms. You will be able to insure that all data is encoded, if you wish, and you can choose the type of encoding: Base64, URL, or SM (a proprietary hybrid of URL encoding). These directives work outside the functionality of CSSChecking and BadFormChars and will work OOB with your environments today.
    Example: Login.fcc

    Need to decode in the directive declaration

    <!-- SiteMinder Encoding=ISO-8859-1; -->
    @username=%USER%
    @smretries=0
    @target=%urldecode(target)%
    @smquerydata=%urldecode(smquerydata)%
    @smagentname=%urldecode(smagentname)%
    @smauthreason=%urldecode(smauthreason)%
    @postpreservationdata=%urldecode(postpreservationdata)%



    <tr>

    <td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

    <input type=hidden name=target value="$$urlencode(target)$$">

    <input type=hidden name=smquerydata value="$$urlencode(smquerydata)$$">

    <input type=hidden name=smauthreason value="$$urlencode(smauthreason)$$">

    <input type=hidden name=smagentname value="$$urlencode(smagentname)$$">

    <input type=hidden name=postpreservationdata value="$$urlencode(postpreservationdata)$$">

    <input type="button" value="Login" onClick="submitForm();">

    </td>



  • 2.  RE: Protecting FCC against attacks using encoding/decoding

     
    Posted Oct 11, 2013 06:01 PM
    Thanks for the tip!


    stephen_mcquiggan wrote:

    There are customers that prefer to let the application handle cross-site scripting attacks. The FCC is a siteminder applications – this tip describes how to protect the FCC using existing siteminder mechanisms that are part of the language that make the FCCC files programmable.

    SiteMinder FCC files supports three types of encoding and decoding functions.

    smencode()/smdecode()
    urlencode()/urldecode()
    b64encode()/b64decode()

    Basically, anywhere you have $$variable$$, you modify the string to be $$encode function(variable)$$. So $$target$$ becomes $$urlencode(target)$$, for example. Then, to make sure that the variable is properly decoded after a post (important for hidden variables!!), place @variable=%decode function(variable)% at the top of the file in the list of FCC directives. Following my example, you’d add @target=%urldecode(target)%. See the attached login.fcc file for a full working example of how this works. I encourage your team to make the changes in their test environment and retry their XSS attacks.

    This approach provides a fully programmable, variable-by-variable, approach to handling custom data insertion in SiteMinder FCC forms. You will be able to insure that all data is encoded, if you wish, and you can choose the type of encoding: Base64, URL, or SM (a proprietary hybrid of URL encoding). These directives work outside the functionality of CSSChecking and BadFormChars and will work OOB with your environments today.
    Example: Login.fcc

    Need to decode in the directive declaration

    <!-- SiteMinder Encoding=ISO-8859-1; -->
    @username=%USER%
    @smretries=0
    @target=%urldecode(target)%
    @smquerydata=%urldecode(smquerydata)%
    @smagentname=%urldecode(smagentname)%
    @smauthreason=%urldecode(smauthreason)%
    @postpreservationdata=%urldecode(postpreservationdata)%



    <tr>

    <td colspan=4 NOWRAP WIDTH="50%" HEIGHT="25" align="CENTER">

    <input type=hidden name=target value="$$urlencode(target)$$">

    <input type=hidden name=smquerydata value="$$urlencode(smquerydata)$$">

    <input type=hidden name=smauthreason value="$$urlencode(smauthreason)$$">

    <input type=hidden name=smagentname value="$$urlencode(smagentname)$$">

    <input type=hidden name=postpreservationdata value="$$urlencode(postpreservationdata)$$">

    <input type="button" value="Login" onClick="submitForm();">

    </td>


  • 3.  RE: Protecting FCC against attacks using encoding/decoding

    Broadcom Employee
    Posted Oct 11, 2013 09:54 PM
    A note on handling HTML Reserved characters : & ' " < >

    HTML specifies a set of "reserved" HTML characters: & ' " < > , when these are added to a HTML document they need need to be encoded as : &amp; &#34; &quot; &lt; &gt; otherwise they can be mistaken as HTML control characters - encoding will make them work as expected.

    You do not want these raw characters added directly to a HTML page; at best the page will not work as expected or at worst it will expose you to a XSS vulnerability. Older agents would encode most of those values when processing .fcc pages variables, but newer agents rely on entries in BadCssChars, BadFormChars and CSSChecking to protect them.

    However these reserved characters are still frequently used such as in : normal URL's; users names; or passwords, and are perfectly safe when properly encoded. So for the Siteminder WebAgent the following ACO parameter has been added:

    fcchtmlencoding=Yes|NoSpecifies whether the HTML encoding is enabled to prevent Cross-Site Scripting attacks against web agent FCC pages. This parameter does not block any characters.
    Values: Yes and No.
    Default: No
    The fcchtmlencoding parameter applies to all the variable substitutions for all the FCC forms. An agent using this parameter can serve one or more FCC forms.

    For safest practice I would recommend setting it to YES, it does no harm, and is essential if you have removed characters from badcsschars list (currently It defaults to NO for backward compatibility). When enabled processing of fcc variables $$var$$ will replace any occurrence of & ' " < > with their html encoded values : &amp; &#34; &quot; &lt; &gt;.

    If the above is not suitable (but generally it will be), or if for safety you also want an additional layer of protection, Steve's method is the recommended approach, and there is now the addition encoding function as well:

    HTMLENCODEFetches the specific variable values, applies the HTML encoding, and substitutes the actual variable values with the encoded values in an FCC file.
    The HTMLENCODE function has the following syntax:
    $$htmlencode(varname)$$

    References :
    http://www.w3schools.com/tags/ref_entities.asp
    Link to ACO section of WebAgent configuration Guilde

    Cheers - Mark


  • 4.  Re: Protecting FCC against attacks using encoding/decoding

    Posted Mar 17, 2016 02:37 AM

    You can not apply the encoding function to ANY form fields...Read below for the reasoning :

     

    It is possible to smencode (or urlencode/b64encode) all the fields in the ssologin.fcc by just doing $$smecnode(variable_name)$$

    Where ,

    variable_name could be target,smquerydata,postpreservationdata or any custom fields.

     

    However, to ensure that the variable is properly decoded after the POST , you will need to do the corresponding decoding for that variable using

    @variable=%decode function(variable)% synatx at the top of your fcc file.

    Now, limitation here is that you can NOT define any variable here. Only certain special variable are allowed here.

    These are called directives.

     

    In other words, there are only limited set of directives which are allowed for special processing and they are :

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/configure-html-forms-authentication

    -username

    -password

    -target

    -smheaders

    -smerrorpage

    -smretries

    -smpasswordfcc

    -smusrmsg

    -smauthreason

    -smsavecreds

    -smsave

    -save

    -smtransient

    -smagentname

    -smlogout

     

    So , as you can see , you cannot encode "postpreservationdata" field or any other custom fields, because they are NOT a valid directive and as such they won't be decoded even if you specify following at the top of your fcc :

    @postpreservationdata=%smdecode(postpreservationdata)%

     

    This will eventually cause the postpreservationdata to be unable to decode after the POST is complete.



  • 5.  Re: Protecting FCC against attacks using encoding/decoding

    Broadcom Employee
    Posted Mar 17, 2016 11:49 AM

    Added info: postpreservationdata if encoded will likely break since the data POSTed by the form won’t be in the exact format expected by the agent.  When there is preserved post data, the data should already be base64 encoded and safe for posting