Secure CA SDM from Cross-Site Scripting Vulnerabilities

The CA SDM installation is susceptible to reflected cross-site scripting vulnerabilities, which might result in the infected URL being reflected back to the user. To secure CA SDM from such vulnerabilities, validation parameters exist in the web.cfg file. These parameters perform a white list validation in the webengine. Also, install the NX option on the primary and secondary servers to secure CA SDM.
casm1401
The CA SDM installation is susceptible to reflected cross-site scripting vulnerabilities, which might result in the infected URL being reflected back to the user. To secure CA SDM from such vulnerabilities, validation parameters exist in the web.cfg file. These parameters perform a white list validation in the webengine. Also, install the NX option on the primary and secondary servers to secure CA SDM.
Points to consider before you proceed with securing CA SDM:
  • The SDM URL parameters that are defined in the web.cfg file are validated for securing CA SDM.
  • You can add SDM URL parameters in the web.cfg file with required validation pattern. You can also add validation patterns, if necessary.
Secure CA SDM from Cross-Site Scripting Vulnerabilities in Conventional and Advanced Availability Mode
Follow these steps:
  1. Stop the CA SDM services.
  2. On the primary server, execute the following command to install the NX option.
    pdm_options_mgr -c -a pdm_option.inst -s VALIDATE_REQUEST_PARAMETER -v 1
    For each secondary server, manually add or update the NX option in the
    NX.env
    file that is located in
    $NX_ROOT
     directory.
  3. (Optional) To avoid losing the changes when you run the
    pdm_configure
    command with the
    -t
    flag.
    pdm_options_mgr -c -a pdm_option.inst -s VALIDATE_REQUEST_PARAMETER -v 1 -t
  4. Restart the CA SDM services.
  5. (Optional) In Advanced Availability mode, perform rolling maintenance to apply the NX option on all servers.
How to Map a Parameter to an Existing White List Pattern
When you identify a parameter to be vulnerable, in the
web.cfg
file, you can map the parameter to a white list pattern against which the parameter is validated. For example,
CONTACT_ID
is the parameter that is vulnerable and you want to map the 
AlphaNumericOnly
white list pattern to the parameter, which means the CONTACT_ID parameter can accept only alphanumeric characters. 
Follow the steps:
  1. Edit the
    web.cfg
    file, and in the
    XSS Vulnerability
    section, add the parameter that you want to validate against a pattern in the following way:
    SecureParameter.CONTACT_ID AlphaNumericOnly
  2. Edit the
    web.cfg.tpl
    file and update the same parameter.
  3. Restart the CA SDM services.
How to Create a White List Pattern
Apart from the out-of-the-box patterns, you can add or edit existing patterns to the web.cfg file.
Edit an Existing Pattern
For example, edit the following pattern to add colon as the allowable character: 
AlphaNumericOnly ^[A-Za-z0-9]*$
to 
AlphaNumericOnly ^[A-Za-z0-9:]*$
Non-Windows
Edit the
web.cfg
file, locate
Patterns for Non-Windows
section and add the allowable character in the following way:
Non_windows_SecureValidator.AlphaNumericColonOnly ^[A-Za-z0-9:]*$
Windows
Edit the 
web.cfg
 file, locate 
Patterns for Windows
 section and add the allowable character in the following way:
Windows_SecureValidator.AlphaNumericColonOnly ^[A-Za-z0-9:]*$
After you add the patterns in the
web.cfg
file, perform the following steps:
  1. Edit the 
    web.cfg.tpl
     file and update the same pattern.
  2. Restart the CA SDM services.