If you have encoded URLs in scripting thats protected by WebSEAL, it won’t automatically filter it, unless you configure the encoding.
For example:
Javascript Link Backslash U hex encoded:
var a = document.createElement('a');
var label = "http:u002fu002fsomeserver:8080u002fdemou002fblah";
a.href = label;
var linkText = document.createTextNode(label);
a.appendChild(linkText);
a.title = "my title text";
a.href = label;
document.body.appendChild(a);
Without filtering configured correctly, this link will be displayed in the browser as
http://someserver:8080/demo/blah
Rather than pointing to the WebSEAL relative URL:
/demo/blah
In WebSEAL 6.1.1 FP7 we added a new stanza for advanced encoding.
A new option has been added to allow webseal to filter URI encoded and escaped
URLs.
To enable advanced filtering, add the following option to the [server] stanza
of the webseal configuration file:
[server]
disable-advanced-filtering = false
The WebSEAL advanced filtering is able to process a number of URI encoding types.
A new stanza called "[filter-advanced-encodings]" is used to configure the types
of encoding which will be detected and filtered. The general format of the
stanza is:
[filter-advanced-encodings]
<escaping method> = <chars to escape>
<escaping method> = <chars to escape>
...
where <escaping method> is one of:
<escaping method>:
ampersand - Ampersand encoded
(EG HTTP://host:port/path?V1=D1&V2=D2)
ampersand-hex - Ampersand just hex encoded
(EG HTTP://host:port/)
ampersand-dec - Ampersand just dec encoded
(EG HTTP:99host:port9)
escaped - Backslash encoded
(EG HTTP://host:port/)
percent - Percent hex encoded
(EG HTTP%3A%2F%2Fhost%3Aport%2F)
escaped-u - Backslash U hex encoded
(EG HTTP:u002fu002fhost:portu002f)
percent-u - Percent U hex encoded
(EG HTTP%u003a//host%u003aport/)
escaped-x - Backslash X hex encoded
(EG HTTPx3Ax2Fx2Fhostx3Aportx2F)
and <chars to encode> is a list of chars that need encoding, governed by the
following rules:
- If two chars are separated by a '-' (hyphen) char, then this is a range of
chars to encode. For example "A-Z" would be all chars from 'A' to 'Z'
including 'A' and 'Z'.
- If the first char in the list is the '^' char, then the list of chars are
those chars *not* to encode. For example "^A-Za-z" would be all chars
excluding chars from 'A' to 'Z' and excluding chars from 'a' to 'z'.
- If the first char (excluding the '^' char) is a '-' (hyphen) char, then
that will be taken as the literal '-' char rather than representing a
range of chars.
Note: It is permissible to have multiple entries with the same <escaping method>
assuming they produce different encodings of the "://" string.
WebSEAL will use the <escaping method> against <chars to escape> to encode the
string "://" amd use that encoded value in combination with "http" or "https" to
detect encoded URLs. The very first entry should be define the "ampersand"
encoding method and not list the char ':' and '/' in the <chars to encode>.
This will then match URLs with an un-encoded "://".
As an example, the following [filter-advanced-encodings] stanza:
[filter-advanced-encodings]
ampersand = &<>"'
ampersand-hex = ^a-zA-Z0-9.
ampersand-dec = ^a-zA-Z0-9.
percent = ^a-zA-Z0-9.
escaped-x = ^a-zA-Z0-9.
specifies the behavior:
ampersand = &<>"'
- This will allow WebSEAL to find and filter unencoded links such as
"http://backend.com:80/". It identifies the link by looking for "http"
or "https" followed by "://". Any WebSEAL host name or junction path
replaced in the filtered link will have the chars &<>"' replaced by their
encoded forms, & < > " and , respectively.
ampersand-hex = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "http://backend.com:80/". It identifies
the link embedded in java script by looking for "http" or "https"
followed by "://". Any WebSEAL host name or junction path
replaced in the filtered link will have the chars not in the set a-zA-Z0-9.
replaced by their encoded forms &#xHH;.
ampersand-dec = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "http://backend.com:80/". It identifies the
link embedded in java script by looking for "http" or "https" followed by
"://". Any WebSEAL host name or junction path replaced in the
filtered link will have the chars not in the set a-zA-Z0-9. replaced by
their encoded forms &#DDD;.
percent = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "http%3a%2f%2fbackend.com%3a80%2f". It identifies the link embedded
in java script by looking for "http" or "https" followed by "%3a%2f%2f".
Any WebSEAL host name or junction path replaced in the filtered link will
have the chars not in the set a-zA-Z0-9. replaced by their encoded forms %HH.
This may be required for attributes with Flash URLs.
escaped-x = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "httpx3ax2fx2fbackend.comx3a80x2f". It identifies the link
embedded in java script by looking for "http" or "https" followed by
"x3ax2fx2f". Any WebSEAL host name or junction path replaced in the
filtered link will have the chars not in the set a-zA-Z0-9. replaced by
their encoded forms xHH. This may be required for Javascript encoded URLs.
The encoding that I encountered escaped-u however didn’t have an example, so wasn’t sure if there was anything special to configure. I found there was a subtle change, where the “:” wasn’t encoded, so had to include that in the list of characters not to encode, like so:
[filter-advanced-encodings] escaped-u = ^a-zA-Z0-9.:
This is particularly useful with SharePoint and any other JavaScript intensive Application Servers.
Philip Nye 