Encoded URLs and WebSEAL filtering

If you have encoded URLs in scripting thats protected by WebSEAL, it won’t automatically filter it, unless you configure the encoding.

For example:

Javascript Link Backslash U hex encoded: 

var a = document.createElement('a');
var label = "http:u002fu002fsomeserver:8080u002fdemou002fblah";
a.href = label;
var linkText = document.createTextNode(label);
a.appendChild(linkText);
a.title = "my title text";
a.href = label;
document.body.appendChild(a);

Without filtering configured correctly, this link will be displayed in the browser as

http://someserver:8080/demo/blah

Rather than pointing to the WebSEAL relative URL:

/demo/blah

In WebSEAL 6.1.1 FP7 we added a new stanza for advanced encoding.

A new option has been added to allow webseal to filter URI encoded and escaped 
URLs.

To enable advanced filtering, add the following option to the [server] stanza
of the webseal configuration file:

[server]
disable-advanced-filtering = false

The WebSEAL advanced filtering is able to process a number of URI encoding types.


A new stanza called "[filter-advanced-encodings]" is used to configure the types
of encoding which will be detected and filtered.  The general format of the 
stanza is:

 [filter-advanced-encodings]
 <escaping method> = <chars to escape>
 <escaping method> = <chars to escape>
 ...

where <escaping method> is one of:

<escaping method>:
   ampersand     - Ampersand encoded          
                   (EG HTTP://host:port/path?V1=D1&amp;V2=D2)
   ampersand-hex - Ampersand just hex encoded 
                   (EG HTTP://host:port/)
   ampersand-dec - Ampersand just dec encoded 
                   (EG HTTP:99host:port9)
   escaped       - Backslash encoded          
                   (EG HTTP://host:port/)
   percent       - Percent hex encoded        
                   (EG HTTP%3A%2F%2Fhost%3Aport%2F)
   escaped-u     - Backslash U hex encoded    
                   (EG HTTP:u002fu002fhost:portu002f)
   percent-u     - Percent U hex encoded      
                   (EG HTTP%u003a//host%u003aport/)
   escaped-x     - Backslash X hex encoded    
                   (EG HTTPx3Ax2Fx2Fhostx3Aportx2F)

and <chars to encode> is a list of chars that need encoding, governed by the 
following rules:
   - If two chars are separated by a '-' (hyphen) char, then this is a range of
     chars to encode.  For example "A-Z" would be all chars from 'A' to 'Z' 
     including 'A' and 'Z'.
   - If the first char in the list is the '^' char, then the list of chars are 
     those chars *not* to encode.  For example "^A-Za-z" would be all chars 
     excluding chars from 'A' to 'Z' and excluding chars from 'a' to 'z'.
   - If the first char (excluding the '^' char) is a '-' (hyphen) char, then 
     that will be taken as the literal '-' char rather than representing a 
     range of chars.

Note: It is permissible to have multiple entries with the same <escaping method>
assuming they produce different encodings of the "://" string.

WebSEAL will use the <escaping method> against <chars to escape> to encode the
string "://" amd use that encoded value in combination with "http" or "https" to
detect encoded URLs.  The very first entry should be define the "ampersand"
encoding method and not list the char ':' and '/' in the <chars to encode>.
This will then match URLs with an un-encoded "://".


As an example, the following [filter-advanced-encodings] stanza:

[filter-advanced-encodings]
ampersand     = &<>"'
ampersand-hex = ^a-zA-Z0-9.
ampersand-dec = ^a-zA-Z0-9.
percent       = ^a-zA-Z0-9.
escaped-x     = ^a-zA-Z0-9.

specifies the behavior:

ampersand = &<>"'
- This will allow WebSEAL to find and filter unencoded links such as
"http://backend.com:80/".  It identifies the link by looking for "http"
or "https" followed by "://".  Any WebSEAL host name or junction path
replaced in the filtered link will have the chars &<>"' replaced by their
encoded forms, &amp; &lt; &gt; &quot; and , respectively.

ampersand-hex = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "http://backend.com:80/".  It identifies
the link embedded in java script by looking for "http" or "https"
followed by "://".  Any WebSEAL host name or junction path
replaced in the filtered link will have the chars not in the set a-zA-Z0-9.
replaced by their encoded forms &#xHH;.

ampersand-dec = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "http://backend.com:80/".  It identifies the
link embedded in java script by looking for "http" or "https" followed by
"://".  Any WebSEAL host name or junction path replaced in the
filtered link will have the chars not in the set a-zA-Z0-9. replaced by
their encoded forms &#DDD;.

percent = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "http%3a%2f%2fbackend.com%3a80%2f".  It identifies the link embedded
in java script by looking for "http" or "https" followed by "%3a%2f%2f".
Any WebSEAL host name or junction path replaced in the filtered link will
have the chars not in the set a-zA-Z0-9. replaced by their encoded forms %HH.
This may be required for attributes with Flash URLs.

escaped-x = ^a-zA-Z0-9.
- This will allow WebSEAL to find and filter ampersand hex encoded links
such as "httpx3ax2fx2fbackend.comx3a80x2f".  It identifies the link
embedded in java script by looking for "http" or "https" followed by
"x3ax2fx2f".  Any WebSEAL host name or junction path replaced in the
filtered link will have the chars not in the set a-zA-Z0-9. replaced by
their encoded forms xHH.  This may be required for Javascript encoded URLs.

The encoding that I encountered escaped-u however didn’t have an example, so wasn’t sure if there was anything special to configure. I found there was a subtle change, where the “:” wasn’t encoded, so had to include that in the list of characters not to encode, like so:

[filter-advanced-encodings]
escaped-u = ^a-zA-Z0-9.:

This is particularly useful with SharePoint and any other JavaScript intensive Application Servers.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: