x-bluecoat-waf-monitor-details
x-bluecoat-waf-block-details
Therefore you will not be able to see what encoding is triggering the multiple_encoding action.
For example if you add a cookie to the request with the following value:
%253C%252Fscript%253E
and are in monitor only mode for WAFS then the x-bluecoat-waf-monitor-details field will display the following unencoded value:
[{""detect"":""multiple_encoding"",""part"":""cookie_name"",""data"":""<\/script>""}]
x-bluecoat-request-details-header
x-bluecoat-request-details-body
By default these logs are present but no values because you need to enable them via policy gestures:
Cookie: %253C%252Fscript%253E\r\n
;; Normalization
;;==============
<proxy>
http.request.normalization.default(auto)
This is the rule which triggers multiple encoding.
The (auto) option expands to the following normalization setting:
http.request.normalization.default("urlDecode:(path),urlDecode:jsDecode:htmlEntityDecode:trimDecode:(header_name,header,cookie_name,cookie),urlDecode:urlDecode:jsDecode:htmlEntityDecode:utf8toUnicode:trimDecode:(arg_name,arg)")
So with the above example what does this mean. We know the cookie header is triggering the multiple_encoding so this applies:
urlDecode:jsDecode:htmlEntityDecode:trimDecode:(header_name,header,cookie_name,cookie)
So multiple encoding means if encoded more than once it will trigger multiple_encoding since we are only expecting the value to be encoded the once due to the presence of a single:
"urlDecode".
So that means if you see %25 in the cookie header then we will block the request since we are expecting a "%".
<proxy>
http.request.normalization.default(auto)