search cancel

getting 400 errors while using SAC Web Application

book

Article ID: 253360

calendar_today

Updated On:

Products

Secure Access Cloud

Issue/Introduction


SAC users reported getting 400 errors for one API call starting Oct 3 2022 - the same endpoint had no issues prior to Oct 3.
 
Going direct to the Application worked fine.

The problem URL included special characters passed in as query string parameters as shown below:
 
400 error through SAC:
  1. Request URL:
    https://video-tools.broadcom.com/parse/proxy?network=meetme&request={%22type%22:%22query%22,%22object%22:%22_Session%22,%22where%22:{%22sessionToken%22:%22test%22},%22order%22:{},%22limit%22:1,%22plain%22:true}
  2. Request Method:
    GET
  3. Status Code:
    400
  4. Remote Address:
    34.127.93.35:443
  5.  
    Referrer Policy:
    strict-origin-when-cross-origin
200 OK going directly without SAC:
  1. Request URL:
    https://api.video-tools.internal.broadcom.com/parse/proxy?network=meetme&request={%22type%22:%22query%22,%22object%22:%22_Session%22,%22where%22:{%22sessionToken%22:%22test%22},%22order%22:{},%22limit%22:1,%22plain%22:true}
  2. Request Method:
    GET
  3. Status Code:200
  4. Remote Address:
    10.160.188.221:443
  5.  
    Referrer Policy:
    strict-origin-when-cross-origin
Generating the same request through SAC without query string parameters does not return a 400 bad request error (but does not send needed data).

Environment

SAC with Web Application enabled.

Cause

A SAC maintenance upgrade was rolled out October 3 2022 where URI special characters were handled in in accordance with RFC1738 such as :

"%", "{", "}", "|", "\", "^", "~", "[", "]", etc…

Since the URIs used by “video-tools” application are referenced these characters and were no encoded, the request was blocked in accordance with the updated security policies.

Resolution

Added URL encoding into the Web Application with encodeURIComponent() function to send the request as 

request: usePostMethod ? JSON.stringify(request) : encodeURIComponent(JSON.stringify(request))

Could also have manually encoded the query string parameters using https://www.urldecoder.org/ to get the same output manually.

Additional Information

As a best practice, always encode URLs being sent into SAC.