Hi All,

We have deployed ISVA 10 for one of our customers. The main use case as part of the first phase is Federation with one cloud-based application and password reset functionality(enabled via USC).

During Application Security PenTest, the teams have reported the below items.

1. The application is vulnerable to a URL redirection flaw
2. Password submitted using the GET method
3. An adversary might be able to use sensitive information revealed by error messages to launch further attacks

I am not sure why these items identified and I think only some configuration change on the WebSEAL side will fix these issues.

Example:
I have modified the below property in the WebSEAL configuration file.
suppress-server-identity = yes

Can someone help me with what things should be done to resolve the above PEN TEST and App Scan issues?
Also, how I can replace all error message page with generic error message page which does not reveal any internal information?

Thanks in advance.

Regards,
Prashant Narkhede

------------------------------
Prashant Narkhede
------------------------------

This is really interesting.
I believe most of them or perhaps all of them are solvable.
For example the GET problem is something that is easy to solve, just by making sure you only accept POSTs on the configuration. You should even use SSL when exchanging cookies with the clients.
Regarding revealing sensitive information, it is possible that the information is coming from either the backend servers, or if they are local file (e.g. login.html) you can always change this information from the local ISAM.
For the URL redirection flaw, I believe you are talking about CWE-601, you can use CORS which is now supported in version 10.


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue January 05, 2021 02:30 AM
From: Prashant Narkhede
Subject: ISVA - Application Security PenTest vulnerability

Hi All,

We have deployed ISVA 10 for one of our customers. The main use case as part of the first phase is Federation with one cloud-based application and password reset functionality(enabled via USC).

During Application Security PenTest, the teams have reported the below items.

1. The application is vulnerable to a URL redirection flaw
2. Password submitted using the GET method
3. An adversary might be able to use sensitive information revealed by error messages to launch further attacks

I am not sure why these items identified and I think only some configuration change on the WebSEAL side will fix these issues.

Example:
I have modified the below property in the WebSEAL configuration file.
suppress-server-identity = yes

Can someone help me with what things should be done to resolve the above PEN TEST and App Scan issues?
Also, how I can replace all error message page with generic error message page which does not reveal any internal information?

Thanks in advance.

Regards,
Prashant Narkhede

------------------------------
Prashant Narkhede
------------------------------