Access Gateway returns HTTP 400 Bad Request error if the Referer Header in the browser request inlcudes "queryString=&Personal=false"

  • Document ID:7024782
  • Creation Date:18-Aug-2020
  • Modified Date:18-Aug-2020
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.4.4
  • Access Manager 4.5.1
  • Access Manager 4.5.2
  • Access Manager 4.5.3

Situation

  • Access Gateway Proxy Service has been configured to protect a web application

  • On some browser requests to the application the proxy returns:
    "Your browser (or proxy) sent a request that this server could not understand."
    enclosed with a  HTTP 400 Bad Request response

Resolution

  • This issue has been addressed to engineering
  • As a workaround you can turn off XSS detection using the Global Advnaced Option: "NAGGlobalOptions DisableDetectXSS=on

Cause

The Access Gateway runs XSS detection (turned on per default) which will match the string "sona" in the Referer Header


error_log (debug mode)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2020-08-18T11:04:19.754620+02:00 aga02 httpd[28496]: [novell_ag:info] [pid 28496:tid 139640048609024] AM#504600000 AMDEVICEID#ag-949006FD6D159570: AMAUTHID#: AMEVENTID#20: matched PR:PR_Root
2020-08-18T11:04:19.754708+02:00 aga02 httpd[28496]: [:debug] [pid 28496:tid 139640048609024] ../xss.c(44): [client 147.2.99.206:60674] xss: Scanning https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false, referer: https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false
2020-08-18T11:04:19.754805+02:00 aga02 httpd[28496]: [:debug] [pid 28496:tid 139640048609024] ../xss.c(86): [client 147.2.99.206:60674] xss:https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false matched pattern # 1 : (?i)([s"'`;/0-9=\v\t\x0c;,(;]+on[a-zA-Z]+[s\v\t\x0c;,(;]*?=) , referer: https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false
2020-08-18T11:04:19.754909+02:00 aga02 httpd[28496]: [novell_ag:info] [pid 28496:tid 139640048609024] AM#504600000 AMDEVICEID#ag-949006FD6D159570: AMAUTHID#: AMEVENTID#20: xss: XSS attack detected in header Referer:https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false, returing bad request
2020-08-18T11:04:19.754998+02:00 aga02 httpd[28496]: [:debug] [pid 28496:tid 139640048609024] ../mod_auth_liberty.c(980): [client 147.2.99.206:60674] Host Header is nw65.kgast.nam.com

Additional Information

Tools used for troubleshooting this issue:
  • Telerik Fiddler
  • Access Gateway running in debug mode
  • httpheaders logging turned on for the Access Gateway using the following Advanced Options:
    • DumpHeaders on
    • DumpResponseHeaders on
    • NAGGlobalOptions DebugHeaders=on
    • DumpHeadersFacility local6
    • DumpResponseHeadersFacility local6