Symantec Access Management

  • Private Community

  • 1.  Cross site scripting

    Posted Sep 05, 2014 07:19 AM

    Hi All,

     

    I'm going through some of the Security Vulnerabilities testing. In that, I'm injecting some arbitrary parameters in the SAML Request and accessing the modified SAML Request. Now, I wanted to stop any request which contains CSS characters. Can any one explain me how to do that?

     

    I have entered 548fc"-alert(XSS)-"1ht19 , in the request and accessed, also enabled BadCSSChars="%22", CSSChecking=Yes, but still I can login to the Application. Siteminder is not blocking the request, Do I need to do anything esle?

     

    https://<HOSTNAME>/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=jZJRT4MwFIXf%2FRWk79Cu2%2BLWDJbpNJrMSAb64IspcCddWIu9BfXfC0OjxsT42Paec%2B69XxfL10PltWBRGR2SUcCIBzo3hdJPIblLL%2F0ZWUYnC5SHitdi1bhSb%2BG5AXTeChGs63TnRmNzAJuAbVUOd9tNSErnahSUFtAGBVRGOQdKa9PKXhE0SDOriiegvTNNklsqKyWRrofrJPY7pZ8km8cL7ZR7W%2FWvxFt3wUofPf6TIXe7F8hw6Atp3WSVyo%2BRHNEQ79LYHI5DhWQnKwTiXa9DIjkvy%2Bk%2BV7OS8xGM%2BemcSVmMWZbtYTLrijCWiKqFLxliA9candQuJJyNJj6b%2B2yajpjgXDAWzOeTB%2BLF1jiTm%2BpM6WHHjdXCSFQotDwACpeLZHWzETxgIhuKUFylaezHt0lKvPtPVrxn1dHTKAY6f3vVH8EkGmCKY8f2u8PfBvITN4l%2BQVrQ757Rx%2FHnf4neAQ%3D%3D548fc"-alert(XSS)-"1ht19&SMPORTALURL=https%3A%2F%2F<HOSTNAME>%2Faffwebservices%2Fpublic%2Fsaml2sso

     

    Thanks,

    Sandeep.



  • 2.  Re: Cross site scripting

    Posted Sep 05, 2014 08:50 AM

    Sandeep,

     

    SiteMinder only checks GET variables for BadURLChars, BadCSSChars and BadQueryChars.

    In my experience SAML uses POST

     

    I beleive this would be a useful Enhancement Request.

     

    If you post it to the security group I will second.

     

    -Josh



  • 3.  Re: Cross site scripting
    Best Answer

    Posted Sep 07, 2014 07:35 PM

    Hi Sandeep,

     

    I think what you need here is :BadQueryChars & BadUrlChars.

    Have you already tried setting them ?

     

    Cheers,

    Ujwol



  • 4.  Re: Cross site scripting

    Posted Sep 08, 2014 03:21 AM

    Hi All,

     

    I have added 'BadURLChars' as well, and then its started working. Siteminder is blocking the request.

     

    Yes Ujwol, I have tried to add the above parameter in ACO and then it worked.



  • 5.  Re: Cross site scripting

    Posted Sep 09, 2014 06:52 AM

    Hi Ujwol/Josh,

     

    I'm facing an issue in my QA environment, I have added similar config but still I'm facing an issue.

     

    I guess, something is overwriting or it is ignored when we add the characters into the SAML request.

     

    The payload I'm inserting is "548fc"-alert(XSS)-"1ht19" and in the request it coming as "548fc-"-alert(XSS)--"1ht19", a hyphen extra before the quotes (").

     

    Can you please assist here?



  • 6.  Re: Cross site scripting

    Posted Sep 09, 2014 07:42 AM

    legacyencoding

     

    what is your setting? yes or no?

    have you tried flipping that?



  • 7.  Re: Cross site scripting

    Posted Sep 10, 2014 02:10 AM

    Hi Josh,

     

    It was commented before and I have enabled the parameter to Yes and then it started blocking any modified SAML requests.

     

    Thank you .