Symantec Access Management

  • 1.  How the SiteMinder Webagent encode & decode URLs

    Broadcom Employee
    Posted Feb 25, 2013 06:13 PM

    Many people can get confused between siteminder URL encoding and other URL encoding.
    Today, there are many internet components and technologies that are capable fo doing URL encoding.
    Some may take UTF-8, others may not.

    Here we are trying to expose the logic behind siteminder URL encoding, so people can separate its algorithm functions from others.
    Same information can be found in support site as well.

    Description:
    What is the algorithm used by the Webagent to encode / decode URL?
    Solution:
    WebAgent encode an URL:
    ==================
    If the URL contains any of the following characters, webagent will Encode it:
    ' '(space), '&', '+', '?', '%', or '$'.
    First, the URL is prepended with '$SM$'.
    Next, the following rules are applied in order:
    ' 'is replaced with '%20'
    '&' is replaced with '%26'
    '+' is replaced with '%2b'
    '?' is replaced with '%3f'
    '@' is replaced with '%40'
    '"' is replaced with '"' (no changes/encoding)
    '=' is replaced with '%3d'
    '%' is replaced with '$%' or '-%'
    Case of '$' and '-'

    '$' is used as delimiter for traditional agents / legacy encoding = yes

    '$' is replaced with '$$'
    '$$' is replaced with '$$$$'
    '$$$' is replaced with '$$$$$$'
    '-' is replaced with '-' (no changes/encoding)

    When decoding, it will reverse the logic, agent will remove single $ sign for every one it added before.

     

    '-' is used as delimiter for framework agents / legacy encoding = No

    '-' is replaced with '--'
    '--' is replaced with '----'
    '---' is replaced with '------'
    '$' is replaced with '%24'

    When decoding, it will reverse the logic, agent will remove single hyphen sign for every one it added before.

     

    Scenario with traditional agents / legacy encoding = yes 
    URL being encoded is:
    http://server.domain.com/resource?P1=A+B&P2=Space%20Here
    SM-Encoded, it becomes:
    $SM$http%3a%2f%2fserver%2edomain%2ecom%2fresource%3fP1=A%2bB%26P2=Space$%20Here
    WebAgent decode an URL:
    ==================
    If the URL starts with '$SM$', then scan the string from the beginning. If the current character is '$', skip to the next character and return it. If the current character is %, then read the next TWO characters and return the urldecoded value. Otherwise return the current character. The algorithm will not urldecode a value such as $%20,
    because the % will have been skipped by the first case.

    So, if the URL being decoded is:

    $SM$http%3a%2f%2fserver%2edomain%2ecom%2fresource%3fP1=A%2bB%26P2=Space$%20
    Here first strip off the $SM$:
    http%3a%2f%2fserver%2edomain%2ecom%2fresource%3fP1=A%2bB%26P2=Space$%20
    then parse down the string until we find a '$' or a '%':
    http%3a%2f%2fserver%2edomain%2ecom%2fresource%3fP1=A%2bB%26P2=Space$%20
    At this point, we see a %. So, we urldecode the % and the next two characters and then continue:
    http:%2f%2fserver%2edomain%2ecom%2fresource%3fP1=A%2bB%26P2=Space$%20Here

    Again, we see a %. Repeat:

    http:/ %2fserver%2edomain%2ecom%2fresource%3fP1=A%2bB%26P2=Space$%20Here

    Repeat (x times)

    http://server.domain.com/resource?P1=A+B&P2=Space
    Now, we see a '$' character, that means we return the next character and continue scanning.
    http://server.domain.com/resource?P1=A+B&P2=Space%20Here
    And now we've reached the end of the string. This is the SM-Decoded value.

    Scenario with Framework agents / legacy encoding = FALSE
    http://server.domain.com/protected/HeaderDumper.asp?1%202&3+4?5%6$7@8"9=10-11--12---13
    becomes
    SM-HTTP%3a%2f%2fserver%2edomain%2ecom%2fprotected%2fHeaderDumper%2easp%3f1-%202%263%2b4%3f5-%6%247%408"9%3d10--11----12------13



  • 2.  RE: How the SiteMinder Webagent encode & decode URLs

     
    Posted Feb 27, 2013 02:15 PM
    Thanks for the tip! :grin:


  • 3.  RE: How the SiteMinder Webagent encode & decode URLs

    Posted Feb 28, 2013 10:02 AM
    Thank You, very informative.


  • 4.  RE: How the SiteMinder Webagent encode & decode URLs

    Posted Aug 15, 2013 05:06 PM
    What about when the url contains "#".
    Looks like the webagent is not encoding and it turncates remaning characters including #. In the below example, it ignores # and anything after that. The webagent is disabled, the target page is accessible with "#"

    https://ssointrad.dev.ipc.us.aexp.com/SSOI/request?request_type=auth_ad#test
    TARGET=$SM$HTTPS%3a%2f%2fssointrad%2edev%2eipc%2eus%2eaexp%2ecom%2fSSOI%2frequest%3frequest_type%3dauth_ad


  • 5.  RE: How the SiteMinder Webagent encode & decode URLs

    Posted Mar 27, 2014 07:39 AM

    This is very resourceful.

    Thank You for the information. 

    Reg:

    Suresh

     

     



  • 6.  Re: How the SiteMinder Webagent encode & decode URLs

    Broadcom Employee
    Posted Nov 16, 2017 11:51 PM
      |   view attached

    I've added some code that does the smencoding/smdecoding. 

     

    There is one major point missing in the article, and that is the "-" is an escape character, so to decode/encode you need to read the string character by character and if you find a "-" then you take the next character unchanged.   

     

    The "-" is used to escape the "-" character and the "%" character - it is the 2nd one that caused real problems with double and tripple smencoded parameters, particularly when custom login pages then use urldecode to try and decode them. 

     

    There is more about that problem here : 

     

    SMEncode method should change to be more compatible with URLDecode 

     

    The Idea also includes sample java file SMEncode.java to do the current encoding/decoding correctly. 

     

    Cheers - Mark

    ---
    Mark O'Donohue
    Snr Principal Support Engineer
    CA Technologies Support

    Attachment(s)

    zip
    SMEncode.java.zip   1 KB 1 version