Symantec Access Management

Tech Tip : CA Single Sign-On : Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it

  • 1.  Tech Tip : CA Single Sign-On : Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it

    Posted 04-20-2018 03:28 AM

    Issue:

     


    We're running Web Agent with and when accessing a resource with
    Internet Explorer, if the protected resources has a " character in the
    query part of the URL, then the character " isn't percentage encoded.

    Setting fcchtmlencoding to "yes" solves the vulnerability that a bug
    in Internet Explorer browser introduces.

    IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say
    https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html

    But we don't want to use fcchtmlencoding, as the HTML encoding
    doesn't apply to the other browsers that show the " character as %22
    instead (Percent-Encoding).

    More, according to rfc3986, the URL should be percent-encoded. The
    HTML encoding should be reserved to the content of a web page.

    "A percent-encoding mechanism is used to represent a data octet in a
    component when that octet's corresponding character is outside the
    allowed set or is being used as a delimiter of, or within, the
    component.

    [...]

    Under normal circumstances, the only time when octets within a URI
    are percent-encoded is during the process of producing the URI from
    its component parts."

    Uniform Resource Identifier (URI): Generic Syntax
    https://tools.ietf.org/html/rfc3986#section-2.1

    and HTML encoding should be use for an HTML entity :

    Browser Security Handbook, part 1
    Hypertext Markup Language
    HTML entity encoding

    HTML entity encoding HTML features a special encoding scheme
    called HTML entities. The purpose of this scheme is to make it
    possible to safely render certain reserved HTML characters (e.g., < >
    &) within documents, as well as to carry high bit characters safely
    over 7-bit media. The scheme nominally permits three types of
    notation:

    One of predefined, named entities, in the format of &; - for
    example < for <, > for >, → for →, etc,

    Decimal entities, &#;, with a number corresponding to the
    desired Unicode character value - for example < for <, →
    for →,

    Hexadecimal entities, &#x;, likewise - for example < for
    <, → for →.

    https://code.google.com/archive/p/browsersec/wikis/Part1.wiki#HTML_entity_encoding

    How can we solve this ?

     


    Resolution:

     

     

    The behavior you see is as per design.

    You are expecting that Web Agent to encode the " character while
    smencoding the target URL , when redirecting for
    credentials(login.fcc) to make the browser functionality look similar.

    But IE is not encoding " character while sending the request to
    webserver, whereas Firefox sends " as %22 while sending it to
    webserver.

    IE: " character received as " by webserver.
    Firefox: " character received as %22 by webserver.

    The Web Agent is designed to make sure that URL is preserved as it is
    even after authentication and authorization. For example if input URL
    to WA is http://server.com/index.html?key="val", the output URL(after
    authentication/authorization) will be same as input. If input URL is
    say http://server.com/index.html?key=%22val%22, then output URL will
    be same. In this scenario " is encoded.

     

    KB : KB000092571