Protect Against XML Signature Wrapping Attacks

CA SiteMinder® Federation Standalone Installation and Upgrade Guide › Troubleshooting CA SiteMinder® Federation Standalone › Protect Against XML Signature Wrapping Attacks

Protect Against XML Signature Wrapping Attacks

A malicious user can commit an XML signature wrapping attack by changing the content of a document signature without invalidating the signature.

If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file. These log files can contain a signature verification failure. The failure to verify a signature can occur for the following reasons:

A duplicated ID element exists in the XML document, and duplicate ID attributes are not permitted. The signature references this duplicated ID.
A signature wrapping vulnerability is logged, such as the signature does not reference the expected parent element.

To protect against signature vulnerabilities:

Navigate to the xsw.properties file in one of the following locations:
- If you see the error message in the smtracedefualt.log file, go to federation_install_dir/siteminder/config/properties
- If you see the error message in the fwstrace.log, go to federation_install_dir/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes.
Add the following settings to the xsw.properties file, and set each one to true.
DisableXSWCheck=true

DisableUniqueIDCheck=true
Save the file.