Symantec Access Management

  • Private Community
 View Only

  • 1.  Issue with target containing ampersand

    Posted Sep 04, 2018 11:29 PM

    We are using a login.fcc with the following directive:

    @targetenc=%urlencode(target)%

     

    We then use $$targetenc$$ to obtain the value of the target.

     

    With Test URL #1: https://hostname.com/index.jsp?test=1

    The value of $$targetenc$$ is HTTPS%3A%2F%2Fhostname.com%2Findex.jsp%3Ftest%3D1 as expected.

     

    With Test URL #2: https://hostname.com/index.jsp?test=1&test1=2

    The value of $$targetenc$$ is DATA BLOCKED

     

    Seems there is an issue with urlencode when the target contains an ampersand, which can be quite common.

     

    Web Server is Apache 2.2 on RHEL 6.x with R12.52 agent.

    Policy Server is R12.6,



  • 2.  Re: Issue with target containing ampersand

    Posted Sep 05, 2018 05:48 AM

    Mike rtnmike

     

    Have we looked at the ACO settings BadURLChars, BadQueryChars, BadFormChars, BadCssChars ? I'd assume one of these, most probably the BadFormChars would be doing this (refer the default list and is it enabled). But worth while to check against the other Parameters as well. Did you see anything reported in Web Agent Trace log, to see which parameter it'd be ?

     

    Reference : 

    How BadURLChars, BadQueryChars and BadFormChars se - CA Knowledge 

    Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Regards

    Hubert



  • 3.  Re: Issue with target containing ampersand
    Best Answer

    Posted Sep 05, 2018 08:33 AM

    Thank you for the reply Hubert.

     

    Strangely, the ACO parameter BadFormChars is commented out. I figured that meant disabled.

     

    It was this: #BadFormChars <,>,&,%22

    Changed it to this: BadFormChars <,>,%22

     

    Now the Test URL#2 works!!!

     

    Thank you!



  • 4.  Re: Issue with target containing ampersand

    Posted Sep 05, 2018 10:06 AM

    Mike rtnmike

     

    The understanding of BadFormChars being disabled by default is correct. My suggestion was just to identify what was blocking the functional aspect. Now that we know, what was blocking the functional aspect and that it does not align with the documentation of the intended behavior - I'd recommend raising a Support Case and seek clarification as to is a Doc Bug OR a product bug ? In order to save retyping everything, have this communities link added in the Case.

     

    BadFormChars [Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation ]

     

    Regards

    Hubert



  • 5.  Re: Issue with target containing ampersand

    Posted Sep 05, 2018 11:02 AM

    I have a CA Support case opened already, will provide them with the link to this thread.  Thanks again.