The CA SDM installation is susceptible to reflected cross-site scripting vulnerabilities, which might result in the infected URL being reflected back to the user. To secure CA SDM from such vulnerabilities, validation parameters exist in the web.cfg file. These parameters perform a white list validation in the webengine. Also, install the NX option on the primary and secondary servers to secure CA SDM.
Points to consider before you proceed with securing CA SDM:
Follow these steps:
On the primary server, execute the following command to install the NX option.
pdm_options_mgr -c -a pdm_option.inst -s VALIDATE_REQUEST_PARAMETER -v 1
Note: For each secondary server, manually add or update the NX option in the NX.env file that is located in $NX_ROOT directory.
(Optional) To avoid losing the changes when you run the pdm_configure command with the -t flag.
pdm_options_mgr -c -a pdm_option.inst -s VALIDATE_REQUEST_PARAMETER -v 1 -t
When you identify a parameter to be vulnerable, in the web.cfg file, you can map the parameter to a white list pattern against which the parameter is validated. For example, CONTACT_ID is the parameter that is vulnerable and you want to map the AlphaNumericOnly white list pattern to the parameter, which means the CONTACT_ID parameter can accept only alphanumeric characters.
Follow the steps:
Edit the web.cfg file, and in the XSS Vulnerability section, add the parameter that you want to validate against a pattern in the following way:
Apart from the out-of-the-box patterns, you can add or edit existing patterns to the web.cfg file.
For example, edit the following pattern to add colon as the allowable character: AlphaNumericOnly ^[A-Za-z0-9]*$ to AlphaNumericOnly ^[A-Za-z0-9:]*$
Edit the web.cfg file, locate Patterns for Non-Windows section and add the allowable character in the following way:
Edit the web.cfg file, locate Patterns for Windows section and add the allowable character in the following way:
After you add the patterns in the web.cfg file, perform the following steps: