Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
Access Manager 3.0 setup as a SAML2 Identity server, providing assertions to many SAML2 Service providers. Almost all SAML2 Service Providers were accessed using the intersite transfer URL. One such SAML2 Service Provider was hit with
Notice the TARGET
is just set to a language parameter instead of a final landing URL. This works
in 3.0 with “RelayState†parameter set to “english†from the TARGET parameter.
After upgrading to Access Manager 3.1.3, the above intersite transfer link will post the response to the PID URL but will not use the TARGET as “RelayStateâ€.
In NAM 3.1.4, the above request will thrown the following error:
Resolution
Add the parameter being passed to a valid URL instead of by itself.
The change in behaviour was added as a security enhancement with newer 3.1 builds to prevent cross scripting attacks.The Identity Server actually tries and scrub the TARGET url to detect certain characters that one would find in a XSS attack eg. the url could be set to the url javascript:alert(%22Neil_Xploit%22). This is not possible with the 3.1.4 codebase.
The change in behaviour was added as a security enhancement with newer 3.1 builds to prevent cross scripting attacks.The Identity Server actually tries and scrub the TARGET url to detect certain characters that one would find in a XSS attack eg. the url could be set to the url javascript:alert(%22Neil_Xploit%22). This is not possible with the 3.1.4 codebase.