search cancel

How to troubleshoot multiple encoding false positives with WAFS


Article ID: 169267


Updated On:


Data Center Security Monitoring Edition ProxySG Software - SGOS


The  following fields in the bcreporterwarp_v1 format provide unencoded values:

Therefore you will not be able to see what encoding is triggering the multiple_encoding action.

For example if you add a cookie to the request with the following value:


and are in monitor only mode for WAFS then the x-bluecoat-waf-monitor-details field will display the following unencoded value:


This of course is not helpful in finding out what encoding was being detected, In order to do that In SGOS we have added the following access-log fields to the bcreporterwarp_v1 format :



By default these logs are present but no values because you need to enable them via policy gestures:

  • http.request.log_details[body,header] (yes|no)
  • http.request.log_details[body] (yes|no)
  • http.request.log_details[header] (yes|no)

So for example if you add the following policy:

http.request.log_details[header] (yes)

The access-log will now include all the headers in the request including the encoded value for the cookie header i.e.
Cookie: %253C%252Fscript%253E\r\n



The wafs default policy includes the following rule: 

;; Normalization




This is the rule which triggers multiple encoding.



The (auto) option expands to the following normalization setting:


So with the above example what does this mean. We know the cookie header is triggering the multiple_encoding so this applies:


So multiple encoding means if encoded more than once it will trigger multiple_encoding since we are only expecting the value to be encoded the once due to the presence of a single:


So that means if you see %25 in the cookie header then we will block the request since we are expecting a "%".



What you can do is change the normalization policy to double decode for the header rather than use single decode so the policy would be:

rather than: