IBM Security Verify

 View Only

  • 1.  PD_STATEFUL Cookie Protection

    Posted Tue June 23, 2020 12:42 PM
    Hi ,

    There is a low level vulnerability on Webseal cookie (PD_STATEFUL). I found a IBM notes where there is a process given to make it HTTPOnly using httptranformation rule.

    https://www.ibm.com/support/pages/setting-pdstateful-cookie-secure 

    Point-1: Every time Weabseal creates this cookie and generating cookie name. below are two values so far observed on same ISAM environment 
    PD_STATEFUL_8c02899c-abbd-11ea-b4f3-005056b1e0cf
    PD_STATEFUL_8b012b34-abbd-11ea-b4f3-005056b1e0cf

    I tried all possible ways using httptransformation rule to make this cookie HTTPOnly and Secure. Below is the httptranformation rule

    <xsl:template match="//HTTPResponse/Cookies">
    <xsl:if test="Cookie/@name='PD_STATEFUL_8c02899c-abbd-11ea-b4f3-005056b1e0cf'">
    <Cookie action="update" name="PD_STATEFUL_8c02899c-abbd-11ea-b4f3-005056b1e0cf">
    <Secure>1</Secure>
    <HTTPOnly>0</HTTPOnly>
    </Cookie>
    </xsl:if>
    </xsl:template>

    <xsl:template match="//HTTPResponse/Cookies">
    <xsl:if test="Cookie/@name='PD_STATEFUL_8b012b34-abbd-11ea-b4f3-005056b1e0cf'">
    <Cookie action="update" name="PD_STATEFUL_8b012b34-abbd-11ea-b4f3-005056b1e0cf">
    <Secure>1</Secure>
    <HTTPOnly>0</HTTPOnly>
    </Cookie>
    </xsl:if>
    </xsl:template>


    I could see something in pdweb.http logs but the cookie is not becoming HTTPOnly and Secure. Tired in multiple ways (like httptranformation rule as HTTPRequestChange and HTTPResponseChange). But its not becoming HTTPOnly.

    Then found another IBM Notes saying 

    It is not possible to modify the body of the request or response. Similarly, you cannot modify cookies or headers that are inserted by WebSEAL. For example, the Hostiv-user and iv-creds junction headers.

    Is it the case or there is a way still we can make the PD_STATEFUL Cookie HTTPOnly and Secure ?


    Thanks,
    Usman



    ------------------------------
    UsmanAli Shaik
    ------------------------------


  • 2.  RE: PD_STATEFUL Cookie Protection

    Posted Wed June 24, 2020 04:13 AM
    Hi Usman,

    I propose that you further troubleshoot this, using the tips below.
    These were taken from the OpenMic session, see this link: https://www.ibm.com/support/pages/node/618613
    You might see things more clearly when using pdweb.http.transformation and/or looking at the WebSEAL message log and/or using an XSLT checker.

    Another great resource with updates on 9.0.6 and 9.0.7 can be found here: https://www.ibm.com/support/pages/demand-webinar-available-mechanisms-modify-http-data-ibm-security-access-manager-5-september-2019-slides-are-attached

    IBM Support has examples on our github: this LINK gets you straight to the example where Secure is set on a cookie.
    Also: try to isolate the problem, by first trying to set Secure only and see if that works.

    Hope this helps.
    Cheers, Peter.


    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: PD_STATEFUL Cookie Protection

    Posted Thu June 25, 2020 01:48 AM
    Hi Peter,

    Thanks for sharing all the material. I went through the YouTube session and understood the limitation on headers and Cookies those are created by WebSeal can not be altered. At the particular limitations section, its explained that junction cookies also can not be altered. 
    Conclusion: PD_STATEFUL_UUID is created by Webseal for stateful junctions which can not be modified by any way. The other artifact for this conclusion is from IBM Web Site under ISAM 9.0.6. 

    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_transforms.html

    Note
    1. It is not possible to modify the body of the request or response. Similarly, you cannot modify cookies or headers that are inserted by WebSEAL. For example, the Host, iv-user and iv-creds junction headers.
    2. WebSEAL pages under the lib/html directory are referred to as HTML server response pages. These response pages are grouped into:
      • Account management pages.
      • Error message pages.

      You can configure the names of these response pages in the [acnt-mgt] stanza.


    I am worried about the conflict information at https://www.ibm.com/support/pages/setting-pdstateful-cookie-secure  and https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/wrp_config/concept/con_http_transforms.html 

    Because do not want to pass the wrong info to customer on this to close the Vulnerability.

    Thanks,
    Usman


    ------------------------------
    UsmanAli Shaik
    ------------------------------

    Original Message


  • 4.  RE: PD_STATEFUL Cookie Protection

    Posted Thu June 25, 2020 02:28 AM
    Hi Usman,

    I'll do some further investigation on this and will come back to you.
    Meanwhile: can you share your ISAM version/fixpack with me?

    Cheers, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 5.  RE: PD_STATEFUL Cookie Protection

    Posted Thu June 25, 2020 05:45 AM
    Hello Usman,

    I was able to make the PD_STATEFUL_... cookie Secure and HTTPOnly but only if I invoked the HTTP Transformation from a POP rather than using the request-match parameters in the configuration file.

    I have a transformation rule (called "cookies") like this:

    <?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	version="1.0" xmlns:external="http://xsltfunctions.isam.ibm.com">

	<!-- Firstly, strip any space elements -->
	<xsl:strip-space elements="*" />

	<!--
		Perform a match on the root of the document. Output the required
		HTTPResponseChange elements and then process templates.
	-->
	<xsl:template match="/">
		<HTTPResponseChange>
			<xsl:apply-templates />
		</HTTPResponseChange>
	</xsl:template>

       <xsl:template match="//HTTPResponse/Cookies">
         <xsl:for-each select="Cookie">
           <Cookie action="update" name="{@name}">
             <Secure>1</Secure>
             <HTTPOnly>1</HTTPOnly>
           </Cookie>
         </xsl:for-each>
       </xsl:template>

</xsl:stylesheet>

    This matches and adds Secure and HTTPOnly to all cookies it detects in responses.

    In my WebSEAL configuration file I have:

    [http-transformations]
    cookies = cookies

    I also have this (not sure if required but I was getting an error related to size of my headers):

    [http-transformations:cookies]
    xslt-buffer-size = 8192

    I then created a POP (called "cookies")
    This POP has an extended attribute with (case-sensitive) name HTTPTransformation and value Response=cookies.
    The POP is attached to the junction object (in my case I attached to /WebSEAL/<server>/mga)

    With this done, all cookies from the /mga junction are HTTPOnly and Secure:



    I hope this helps.

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 6.  RE: PD_STATEFUL Cookie Protection

    Posted Mon June 29, 2020 06:12 AM

    hi john,

    could protect this cookie while it's in http response using the transformation rule.

    one observation : this Cookie is in Http request Also which is showing still not protected . 

    created another rule for request and pop but still it's not protected.

    any clue please 

    the junction I m tried is EAI 



    ------------------------------
    UsmanAli Shaik
    ------------------------------

    Original Message


  • 7.  RE: PD_STATEFUL Cookie Protection

    Posted Mon June 29, 2020 06:41 AM
    Usman,

    Cookie options (HttpOnly, Secure, SameSite, Domain etc.) are specified when the cookie is set (in HTTP Response).
    The options control how the cookie is used by the browser.
    You should see the options set for the cookie if you look at cookies in browser tools.

    Cookie options are NOT sent with the cookie when it is presented by the browser (in HTTP Request).  That doesn't mean that the cookie does not have those options.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message