ProxySG/ASG/SGVA returning hexadecimal encoded escape characters under exception page
Last Updated June 20, 2019
When ProxySG/ASG/SGVA returns an exception page as a result of exception policy match, HTML ASCII charactersarebeing replaced by hexadecimal encoded escape characters. For example, when SG returning a policy deny exception with "Your request url $(url)", exception page looks like below:
Instead of returning 'Your request url http://www.example.com/' it returns 'Your request url http://www.example.com/'. Here SG is replacing unsafe character '/' with escape charecters '/'
This is expected behavior starting from SGOS 126.96.36.199 and higher versions. As part of security tightening to prevent XSS (cross site scripting) attack, starting with SGOS 188.8.131.52 unsafe (sensitive) HTML characters such as “<“, “>”, “&” , "/" ,whitespace etc will be replaced with hexadecimal encoded escape characters. SG will modify unsafe HTML character when it's retuning its own HTML resources such as exception pages. By default this does not apply when SG returning a HTML response from OCS (Origin content server). Most modern browser are capable of converting this escape characters back to the original ASCII charecters, hence when above exception page is returned back to the browser it will be rendered with original ASCII charecter i.e 'Your request url http://www.example.com/'.
In above example if $(url) would hold an integer value, there would be no risk. The problem arises when $(url) holds a string (in this case it holds request URL) that contains HTML sensitive characters which are vulnerable to XSS attacks.
More information related to XSS (Cross Site Scripting) Prevention techniques can be found on Open Web Application Security Project (OWASP) Website.
ID: SG-12132 & SG-4415
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe