How to troubleshoot multiple encoding false positives with WAFS

book

Article ID: 169267

calendar_today

Updated On:

Products

Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

The  following fields in the bcreporterwarp_v1 format provide unencoded values:
 
x-bluecoat-waf-monitor-details
x-bluecoat-waf-block-details

Therefore you will not be able to see what encoding is triggering the multiple_encoding action.

For example if you add a cookie to the request with the following value:

%253C%252Fscript%253E

and are in monitor only mode for WAFS then the x-bluecoat-waf-monitor-details field will display the following unencoded value:

[{""detect"":""multiple_encoding"",""part"":""cookie_name"",""data"":""<\/script>""}]

This of course is not helpful in finding out what encoding was being detected, In order to do that In SGOS 6.6.4.3 we have added the following access-log fields to the bcreporterwarp_v1 format :

x-bluecoat-request-details-header

x-bluecoat-request-details-body

By default these logs are present but no values because you need to enable them via policy gestures:


  • http.request.log_details[body,header] (yes|no)
  • http.request.log_details[body] (yes|no)
  • http.request.log_details[header] (yes|no)

So for example if you add the following policy:

<proxy>
http.request.log_details[header] (yes)

The access-log will now include all the headers in the request including the encoded value for the cookie header i.e.
Cookie: %253C%252Fscript%253E\r\n







 

Cause

The wafs default policy includes the following rule: 

;; Normalization

;;==============

<proxy>

http.request.normalization.default(auto)

This is the rule which triggers multiple encoding.

 

 

The (auto) option expands to the following normalization setting:

http.request.normalization.default("urlDecode:(path),urlDecode:jsDecode:htmlEntityDecode:trimDecode:(header_name,header,cookie_name,cookie),urlDecode:urlDecode:jsDecode:htmlEntityDecode:utf8toUnicode:trimDecode:(arg_name,arg)")

So with the above example what does this mean. We know the cookie header is triggering the multiple_encoding so this applies:


urlDecode:jsDecode:htmlEntityDecode:trimDecode:(header_name,header,cookie_name,cookie)

So multiple encoding means if encoded more than once it will trigger multiple_encoding since we are only expecting the value to be encoded the once due to the presence of a single:

"urlDecode".

So that means if you see %25 in the cookie header then we will block the request since we are expecting a "%".


 

Resolution

What you can do is change the normalization policy to double decode for the header rather than use single decode so the policy would be:
<proxy>
http.request.normalization.default("urlDecode:(path),urlDecode:urlDecode:jsDecode:htmlEntityDecode:trimDecode:(header_name,header,cookie_name,cookie),urlDecode:urlDecode:jsDecode:htmlEntityDecode:utf8toUnicode:trimDecode:(arg_name,arg)")

rather than:


 

<proxy>

http.request.normalization.default(auto)