Reset Search
 

 

Article

KB40250 - AAA/SignIn URL: How to prevent users from browsing to other sign-in policies by changing the sign-in URL index value

« Go Back

Information

 
Last Modified Date3/15/2017 5:46 PM
Synopsis
This article provides the steps to prevent a user from accessing other sign-in policies hosted on a PCS or PPS device by changing the index value of the sign-in URL.
Problem or Goal

By altering a parameter in a sign-in URL, it is possible for a user to be redirected to a sign-in page configured for a different URL hosted on the same device by changing the "url_<x>" portion of the login URL.  

Note: A user would not be able to login from this page without valid credentials for the realm that is assigned to the sign-in URL, however, it may still be the desired goal to restrict users from being able to access other sign-in pages in this manner.

For example, a device is configured with two different User URL's with matching custom sign-in pages for illustration purposes.

User-added image

Upon browsing to https://www.test_1.com/test_1 the request is redirected to the sign-in page with the system assigned URL displayed in the browsing bar as: 
https://www.test_1.com/dana-na/auth/url_tlCjSSFIWrwNe5lB/welcome.cgi

User-added image

Upon browsing to the 2nd sign-in URL https://www.test_2.com/test_2 the session is redirected to:
https://www.test_2.com/dana-na/auth/url_jJhN1Q5KGPkOUzry/welcome.cgi

User-added image

By copying the following portion of test_1 URL:
https://www.test_1.com/dana-na/auth/url_tlCjSSFIWrwNe5lB/welcome.cgi

And replacing the copied text to the test_2 URL so that the URL is now:
https://www.test_2.com/dana-na/auth/url_url_tlCjSSFIWrwNe5lB/welcome.cgi

The session is redirected to the test_1 page, even though the host portion of the URL has not changed.

User-added image

 

Cause
Sign-in policies are not designed to keep users from viewing other sign-in pages, however, if the goal of the PCS or PPS administrator is to prevent users from being able to access other sign-in pages in this manner, a solution is available.  
Solution
There is a new feature in later versions of 8.1R7 and all versions of 8.2 that prevent URL tampering from redirecting to any other sign-in pages by changing the index value of the sign-in URL.  It is not enabled by default requires the use of XML Import/Export to modify the setting.

Follow these steps to export the XML of the system security configuration, modify it, and reimport it with the change.
  1. Go to Maintenance > Import/Export > Export XML.
  2. Expand the "System" settings.
  3. In the Security section select the "Security" configuration.
  4. Scroll to the bottom of the page and click "Export".
  5. Save the file "ive-export.xml" then open it in a text editor.
  6. Scroll to the bottom of the file and locate the XML tag for <signin-url-check>standard</signin-url-check>.
 
</ssl-options>
                <lock-out-options>
                    <lock-out-time>2</lock-out-time>
                    <trigger>180</trigger>
                    <rate>3</rate>
                </lock-out-options>
                <last-login-options>
                    <show-last-login-time>false</show-last-login-time>
                    <show-last-login-ip>false</show-last-login-ip>
                </last-login-options>
                <health-check-options>
                    <healthcheck-allow-ip>enable</healthcheck-allow-ip>
                    <ips>
                    </ips>
                </health-check-options>
                <delete-cookies>preserve-cookies</delete-cookies>
                <include-session-cookie-in-url>include-cookie</include-session-cookie-in-url>
                <xframe-option>true</xframe-option>
                <slowpost-timeout>
                    <timeout>10</timeout>
                </slowpost-timeout>
                <slowpost-buffer>
                    <buffersize>32768</buffersize>
                </slowpost-buffer>
                <signin-url-check>standard</signin-url-check>
            </security>
        </configuration>
    </system>
</configuration>
  1. Change the value of the tag to "mitigate-url-tamper" as per the example below.
</ssl-options>
                <lock-out-options>
                    <lock-out-time>2</lock-out-time>
                    <trigger>180</trigger>
                    <rate>3</rate>
                </lock-out-options>
                <last-login-options>
                    <show-last-login-time>false</show-last-login-time>
                    <show-last-login-ip>false</show-last-login-ip>
                </last-login-options>
                <health-check-options>
                    <healthcheck-allow-ip>enable</healthcheck-allow-ip>
                    <ips>
                    </ips>
                </health-check-options>
                <delete-cookies>preserve-cookies</delete-cookies>
                <include-session-cookie-in-url>include-cookie</include-session-cookie-in-url>
                <xframe-option>true</xframe-option>
                <slowpost-timeout>
                    <timeout>10</timeout>
                </slowpost-timeout>
                <slowpost-buffer>
                    <buffersize>32768</buffersize>
                </slowpost-buffer>
                <signin-url-check>mitigate-url-tamper</signin-url-check>
            </security>
        </configuration>
    </system>
</configuration>
  1. Save the .xml file.
  2. From the admin console go to Maintenance > XML Import/Export > XML Import.
User-added image
  1. Click Browse and select the .xml file then click Import.
User-added image
  1. You should see the following message indicating that the import was successful.

User-added image


Now, when a user attempts to redirect the browser to a different sign-in policy by modifying the index value, the following message will be displayed:

User-added image
 
Related Links
Attachment 1 
Created ByTravis Bradbury

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255