Patrick-Dussault

Tech Tip : CA Single Sign-On : Web Agent should escape URL query " character as Percent Encoded when the browser doesn't escape it

Discussion created by Patrick-Dussault Employee on Apr 20, 2018

Issue:

 


We're running Web Agent with and when accessing a resource with
Internet Explorer, if the protected resources has a " character in the
query part of the URL, then the character " isn't percentage encoded.

Setting fcchtmlencoding to "yes" solves the vulnerability that a bug
in Internet Explorer browser introduces.

IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say
https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html

But we don't want to use fcchtmlencoding, as the HTML encoding
doesn't apply to the other browsers that show the " character as %22
instead (Percent-Encoding).

More, according to rfc3986, the URL should be percent-encoded. The
HTML encoding should be reserved to the content of a web page.

"A percent-encoding mechanism is used to represent a data octet in a
component when that octet's corresponding character is outside the
allowed set or is being used as a delimiter of, or within, the
component.

[...]

Under normal circumstances, the only time when octets within a URI
are percent-encoded is during the process of producing the URI from
its component parts."

Uniform Resource Identifier (URI): Generic Syntax
https://tools.ietf.org/html/rfc3986#section-2.1

and HTML encoding should be use for an HTML entity :

Browser Security Handbook, part 1
Hypertext Markup Language
HTML entity encoding

HTML entity encoding HTML features a special encoding scheme
called HTML entities. The purpose of this scheme is to make it
possible to safely render certain reserved HTML characters (e.g., < >
&) within documents, as well as to carry high bit characters safely
over 7-bit media. The scheme nominally permits three types of
notation:

One of predefined, named entities, in the format of &; - for
example < for <, > for >, → for →, etc,

Decimal entities, &#;, with a number corresponding to the
desired Unicode character value - for example < for <, →
for →,

Hexadecimal entities, &#x;, likewise - for example < for
<, → for →.

https://code.google.com/archive/p/browsersec/wikis/Part1.wiki#HTML_entity_encoding

How can we solve this ?

 


Resolution:

 

 

The behavior you see is as per design.

You are expecting that Web Agent to encode the " character while
smencoding the target URL , when redirecting for
credentials(login.fcc) to make the browser functionality look similar.

But IE is not encoding " character while sending the request to
webserver, whereas Firefox sends " as %22 while sending it to
webserver.

IE: " character received as " by webserver.
Firefox: " character received as %22 by webserver.

The Web Agent is designed to make sure that URL is preserved as it is
even after authentication and authorization. For example if input URL
to WA is http://server.com/index.html?key="val", the output URL(after
authentication/authorization) will be same as input. If input URL is
say http://server.com/index.html?key=%22val%22, then output URL will
be same. In this scenario " is encoded.

 

KB : KB000092571

Outcomes