Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it

  • 1.  Tech Tip : CA Single Sign-On : Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it

    Broadcom Employee
    Posted Apr 20, 2018 03:28 AM



    We're running Web Agent with and when accessing a resource with
    Internet Explorer, if the protected resources has a " character in the
    query part of the URL, then the character " isn't percentage encoded.

    Setting fcchtmlencoding to "yes" solves the vulnerability that a bug
    in Internet Explorer browser introduces.

    IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say

    But we don't want to use fcchtmlencoding, as the HTML encoding
    doesn't apply to the other browsers that show the " character as %22
    instead (Percent-Encoding).

    More, according to rfc3986, the URL should be percent-encoded. The
    HTML encoding should be reserved to the content of a web page.

    "A percent-encoding mechanism is used to represent a data octet in a
    component when that octet's corresponding character is outside the
    allowed set or is being used as a delimiter of, or within, the


    Under normal circumstances, the only time when octets within a URI
    are percent-encoded is during the process of producing the URI from
    its component parts."

    Uniform Resource Identifier (URI): Generic Syntax

    and HTML encoding should be use for an HTML entity :

    Browser Security Handbook, part 1
    Hypertext Markup Language
    HTML entity encoding

    HTML entity encoding HTML features a special encoding scheme
    called HTML entities. The purpose of this scheme is to make it
    possible to safely render certain reserved HTML characters (e.g., < >
    &) within documents, as well as to carry high bit characters safely
    over 7-bit media. The scheme nominally permits three types of

    One of predefined, named entities, in the format of &; - for
    example < for <, > for >, → for →, etc,

    Decimal entities, &#;, with a number corresponding to the
    desired Unicode character value - for example < for <, →
    for →,

    Hexadecimal entities, &#x;, likewise - for example < for
    <, → for →.

    How can we solve this ?





    The behavior you see is as per design.

    You are expecting that Web Agent to encode the " character while
    smencoding the target URL , when redirecting for
    credentials(login.fcc) to make the browser functionality look similar.

    But IE is not encoding " character while sending the request to
    webserver, whereas Firefox sends " as %22 while sending it to

    IE: " character received as " by webserver.
    Firefox: " character received as %22 by webserver.

    The Web Agent is designed to make sure that URL is preserved as it is
    even after authentication and authorization. For example if input URL
    to WA is"val", the output URL(after
    authentication/authorization) will be same as input. If input URL is
    say, then output URL will
    be same. In this scenario " is encoded.


    KB : KB000092571