CA Tuesday Tip: SiteMinder: Why you need to care about XSS

Discussion created by jeff.tchang on Jul 5, 2011
Latest reply on Aug 1, 2011 by jedwards1.1

CA SiteMinder Tuesday Tip by Jeff Tchang "Why you need to care about XSS" for 7/05/2011

Cross site scripting is a pervasive vulnerability commonly found in web applications. It is especially important to recognize for SiteMinder users because a majority of applications being protected by SiteMinder are webapps. Cross site scripting vulnerabilities can lead to user account compromises as well as leakage of private data.

The good part is that SiteMinder offers basic protecting against XSS attacks. It does this by scanning the URL looking for commonly used XSS characters. By default SiteMinder will look for the characters specified in the Web Agent Configuration parameter "BadCss Chars".

The default is:


A quick analysis of why these characters:

- The < and > are included because XSS usually includes tags such as <script>.
- The single quote is common because attacks generally try to terminate an HTML attribute early and then inject additional attributes after it.
- The semicolon and left and right parentheses are commonly used to group attack expressions. The semicolon is common in SQL injection.
- Ampersands can be used abused to terminate a URL early. Notice this is not the ampersand in the URL query string (those are okay since they delimit parameters)
- The plus sign is used to concatenate strings or as a space.
- The last parameter, %00, is the null byte. Commonly represented in C as "\0" this can be used to terminate a string early. It is only recently that this type of attack vector has made a resurgence.

For more information take a look at the CA SiteMinder Web Agent Guide. It is highly recommended that the BadCSSChars is tuned for your specific applications. Some applications may use these characters legitimately and thus requests will get caught in the filter. However, best practice dicates that you try to avoid these characters when creating URLs for your webapp.

-Jeff Tchang