000034245 - Cross Site Scripting (XSS) [OWASP Top Ten 2013 - A3] in RSA Adaptive Authentication (OnPrem)

Document created by RSA Customer Support Employee on Nov 25, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034245
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 6 SP3 P4
 
IssueCross Site Scripting (XSS) [OWASP Top Ten 2013 - A3]: The values of some parameters are included verbatim in the HTTP response, or written to the database with no edits. This allows an attacker to send arbitrary HTML or JavaScript to the server and have it included in the response, so that the attacker's own functions can appear and execute within a page of the application. The test found this vulnerability in several specific parameters, but it is likely that more are vulnerable. Apply the solution to all inputs, not only those specifically \reported. Development analysis in progress High Filter input to allow only expected characters. Use a white list, not a blacklist. Simply filtering known attack signatures is a faulty solution. Also - encode output to avoid writing to a database or an HTTP response any code that may have come from (or been altered by) users. Ideally, pass all user input through a single filter, and output through a single encoder, appropriate to the context in which the output appears.
See http://tinyurl.com/XSS-defense for details" 2 Unvalidated Redirects and Forwards [OWASP Top Ten 2013 - A10]: The application allows redirects to arbitrary URLs. An attacker could send a user to a malicious site by bouncing off of this one, giving the malicious site the appearance that it is part of this application. Development analysis in progress High Do not redirect to a URL that could be manipulated by an attacker. Redirect only to known-good URLs.
Cause

1- Cross Site Scripting (XSS) [OWASP Top Ten 2013 - A3]: The values of some parameters are included verbatim in the HTTP response, or written to the database with no edits. This allows an attacker to send arbitrary HTML or JavaScript to the server and
have it included in the response, so that the ttacker's own functions can appear and execute within a page of the application. The test found this
vulnerability in several specific parameters, but it is likely that more are vulnerable. Apply the solution to all inputs, not only those specifically \reported.


Development analysis in progress


High


Filter input to allow only expected characters. Use a white list, not a blacklist. Simply filtering known attack signatures is a faulty solution. Also - encode output to avoid writing to a database or an HTTP response any code that may have come from (or been altered by) users. Ideally, pass all user input through a single filter, and output through a single encoder, appropriate to the context in which the output appears. See
http://tinyurl.com/XSS-defense for details"


2- Unvalidated Redirects and Forwards [OWASP Top Ten 2013 - A10]: The application allows redirects to arbitrary URLs. An attacker could send a user to a malicious site by bouncing off of this one, giving the malicious site the appearance that it is part of this application.


Development analysis in progress


High


Do not redirect to a URL that could be manipulated by an attacker. Redirect only to known-good URLs.

ResolutionRefer to the attachment and download the pmfso.swf. This is for the sp3p4 versions.
This XSS vulnerability is not reproducible in 7.3 environment and customer is on v6 which is EOL.

Attachments

Outcomes