Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it
Article ID: 92571
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We're running Web Agent with and when accessing a resource with
Internet Explorer, if the protected resources has a " character in the
query part of the URL, then the character " isn't percentage encoded.
Setting fcchtmlencoding to "yes" solves the vulnerability that a bug
in Internet Explorer browser introduces.
IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say
https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html
But we don't want to use fcchtmlencoding, as the HTML encoding
doesn't apply to the other browsers that show the " character as %22
instead (Percent-Encoding).
More, according to rfc3986, the URL should be percent-encoded. The
HTML encoding should be reserved to the content of a web page.
"A percent-encoding mechanism is used to represent a data octet in a
component when that octet's corresponding character is outside the
allowed set or is being used as a delimiter of, or within, the
component.
[...]
Under normal circumstances, the only time when octets within a URI
are percent-encoded is during the process of producing the URI from
its component parts."
Uniform Resource Identifier (URI): Generic Syntax
https://tools.ietf.org/html/rfc3986#section-2.1
and HTML encoding should be use for an HTML entity :
Browser Security Handbook, part 1
Hypertext Markup Language
HTML entity encoding
HTML entity encoding HTML features a special encoding scheme
called HTML entities. The purpose of this scheme is to make it
possible to safely render certain reserved HTML characters (e.g., < >
&) within documents, as well as to carry high bit characters safely
over 7-bit media. The scheme nominally permits three types of
notation:
One of predefined, named entities, in the format of &; - for
example < for <, > for >, → for →, etc,
Decimal entities, &#;, with a number corresponding to the
desired Unicode character value - for example < for <, →
for →,
Hexadecimal entities, &#x;, likewise - for example < for
<, → for →.
https://code.google.com/archive/p/browsersec/wikis/Part1.wiki#HTML_entity_encoding
How can we solve this ?
Internet Explorer, if the protected resources has a " character in the
query part of the URL, then the character " isn't percentage encoded.
Setting fcchtmlencoding to "yes" solves the vulnerability that a bug
in Internet Explorer browser introduces.
IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say
https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html
But we don't want to use fcchtmlencoding, as the HTML encoding
doesn't apply to the other browsers that show the " character as %22
instead (Percent-Encoding).
More, according to rfc3986, the URL should be percent-encoded. The
HTML encoding should be reserved to the content of a web page.
"A percent-encoding mechanism is used to represent a data octet in a
component when that octet's corresponding character is outside the
allowed set or is being used as a delimiter of, or within, the
component.
[...]
Under normal circumstances, the only time when octets within a URI
are percent-encoded is during the process of producing the URI from
its component parts."
Uniform Resource Identifier (URI): Generic Syntax
https://tools.ietf.org/html/rfc3986#section-2.1
and HTML encoding should be use for an HTML entity :
Browser Security Handbook, part 1
Hypertext Markup Language
HTML entity encoding
HTML entity encoding HTML features a special encoding scheme
called HTML entities. The purpose of this scheme is to make it
possible to safely render certain reserved HTML characters (e.g., < >
&) within documents, as well as to carry high bit characters safely
over 7-bit media. The scheme nominally permits three types of
notation:
One of predefined, named entities, in the format of &; - for
example < for <, > for >, → for →, etc,
Decimal entities, &#;, with a number corresponding to the
desired Unicode character value - for example < for <, →
for →,
Hexadecimal entities, &#x;, likewise - for example < for
<, → for →.
https://code.google.com/archive/p/browsersec/wikis/Part1.wiki#HTML_entity_encoding
How can we solve this ?
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
The behavior you see is as per design.
You are expecting that Web Agent to encode the " character while
smencoding the target URL , when redirecting for
credentials(login.fcc) to make the browser functionality look similar.
But IE is not encoding " character while sending the request to
webserver, whereas Firefox sends " as %22 while sending it to
webserver.
IE: " character received as " by webserver.
Firefox: " character received as %22 by webserver.
The Web Agent is designed to make sure that URL is preserved as it is
even after authentication and authorization. For example if input URL
to WA is http://server.com/index.html?key="val", the output URL(after
authentication/authorization) will be same as input. If input URL is
say http://server.com/index.html?key=%22val%22, then output URL will
be same. In this scenario " is encoded.
You are expecting that Web Agent to encode the " character while
smencoding the target URL , when redirecting for
credentials(login.fcc) to make the browser functionality look similar.
But IE is not encoding " character while sending the request to
webserver, whereas Firefox sends " as %22 while sending it to
webserver.
IE: " character received as " by webserver.
Firefox: " character received as %22 by webserver.
The Web Agent is designed to make sure that URL is preserved as it is
even after authentication and authorization. For example if input URL
to WA is http://server.com/index.html?key="val", the output URL(after
authentication/authorization) will be same as input. If input URL is
say http://server.com/index.html?key=%22val%22, then output URL will
be same. In this scenario " is encoded.
Feedback
Yes
No
Powered by
