A Cross Site Scripting (XSS) attack can occur when an application displays input text from a browser (typically, data from a post or data from query parameters on a URL) without filtering for characters that can form an executable script when displayed at the browser. The display of these characters can lead to an unwanted script being executed on the browser.
CA SiteMinder® Federation Standalone provides several JSPs for use with federation functionality. These JSPs check characters in a request to be sure that unsafe information in the output stream is not displayed in the browser.
When CA SiteMinder® Federation Standalone receives a request, the following JSPs scan the decoded values for cross-site scripting characters:
Used at the relying party for Identity Provider Discovery.
Used at the relying party for dynamic account linking.
Used at the IDP to initiate single sign-on. This is a sample application you can use to direct the user first to the SSO Service and then to the custom web application. Typically, you use your own application.
Used at the Account Partner for WS-Federation sign out.
Used for IdP-initiated single sign-on when the user is sent directly to the web application and not initially to the SSO Service.
The pages scan the request for the following characters:
|
Character |
Description |
|---|---|
|
< |
left angle bracket |
|
> |
right angle bracket |
|
‘ |
single quotation mark |
|
“ |
double quotation mark |
|
% |
percent sign |
|
; |
semi-colon |
|
( |
open (left) parenthesis |
|
) |
closed (right) parenthesis |
|
& |
ampersand |
|
+ |
plus sign |
Each CA SiteMinder® Federation Standalone-provided JSP contains a variable that defines the characters to scan. Modify these JSPs to expand the character set.
|
Copyright © 2013 CA.
All rights reserved.
|
|