Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it
Article ID: 92571
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
We're running Web Agent with and when accessing a resource with Internet Explorer, if the protected resources has a " character in the query part of the URL, then the character " isn't percentage encoded.
Setting fcchtmlencoding to "yes" solves the vulnerability that a bug in Internet Explorer browser introduces.
IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html
But we don't want to use fcchtmlencoding, as the HTML encoding doesn't apply to the other browsers that show the " character as %22 instead (Percent-Encoding).
More, according to rfc3986, the URL should be percent-encoded. The HTML encoding should be reserved to the content of a web page.
"A percent-encoding mechanism is used to represent a data octet in a component when that octet's corresponding character is outside the allowed set or is being used as a delimiter of, or within, the component.
Under normal circumstances, the only time when octets within a URI are percent-encoded is during the process of producing the URI from its component parts."
and HTML encoding should be use for an HTML entity :
Browser Security Handbook, part 1 Hypertext Markup Language HTML entity encoding
HTML entity encoding HTML features a special encoding scheme called HTML entities. The purpose of this scheme is to make it possible to safely render certain reserved HTML characters (e.g., < > &) within documents, as well as to carry high bit characters safely over 7-bit media. The scheme nominally permits three types of notation:
One of predefined, named entities, in the format of &; - for example < for <, > for >, → for →, etc,
Decimal entities, &#;, with a number corresponding to the desired Unicode character value - for example < for <, → for →,
Hexadecimal entities, &#x;, likewise - for example < for <, → for →.
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP Component:
The behavior you see is as per design.
You are expecting that Web Agent to encode the " character while smencoding the target URL , when redirecting for credentials(login.fcc) to make the browser functionality look similar.
But IE is not encoding " character while sending the request to webserver, whereas Firefox sends " as %22 while sending it to webserver.
IE: " character received as " by webserver. Firefox: " character received as %22 by webserver.
The Web Agent is designed to make sure that URL is preserved as it is even after authentication and authorization. For example if input URL to WA is http://server.com/index.html?key="val", the output URL(after authentication/authorization) will be same as input. If input URL is say http://server.com/index.html?key=%22val%22, then output URL will be same. In this scenario " is encoded.