Remediation for vulnerabilities

Document ID : KB000129870
Last Modified Date : 22/03/2019
Show Technical Document Details
Question:
Three vulnerabilities were found in WebAgent for IIS(8.5) and SPS.

(1) X-Frame-Options header isn't set
Because the X-Frame-Options header isn't set, it is vulnerable against "Clickjacking".
Target: entire site

Is this prevented by the following feature?

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-EnsureAgentResponsesComplywithX-Frame-Options

(2) Content Security Policy isn't set
Because of the Content Security Policy isn't set, Web browsers' protection function isn't enabled for preventing Injection attacks to HTML such as Cross-site Scripting.
Target: entire site

(3) Possibilities of redirecting to inappropriate URL by inserting a URL as a parameter.
Example:
https://siteminder.excample.com/forms/login.fcc?...(snip)...TARGET=-SM-http%3a%2f%2fad%2ecaj%2eco%2ejp%2fprotection%2fmenu

Is it a solution to use "SecureURLs" ACO parameter?
Answer:
(1) Yes. The details are explained in the URL referred in the inquiry.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-EnsureAgentResponsesComplywithX-Frame-Options

(2) Please implement Content Security Policy in the protected applications and contents if it is necessary. CA Single Sign-On doesn't have any special features for Content Security Policy (CSP).

(3) Yes. It's a solution to use "SecureURLs" ACO parameter.