Environment
- Access Manager 4.4.4
- Access Manager 4.5.1
- Access Manager 4.5.2
- Access Manager 4.5.3
Situation
- Access Gateway Proxy Service has been configured to protect a web application
- On some browser requests to the application the proxy returns:
"Your browser (or proxy) sent a request that this server could not understand."
enclosed with a HTTP 400 Bad Request response
Resolution
- This issue has been addressed to engineering
- As a workaround you can turn off XSS detection using the Global Advnaced Option: "NAGGlobalOptions DisableDetectXSS=on
Cause
error_log (debug mode)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2020-08-18T11:04:19.754620+02:00
aga02 httpd[28496]: [novell_ag:info] [pid 28496:tid 139640048609024]
AM#504600000 AMDEVICEID#ag-949006FD6D159570: AMAUTHID#: AMEVENTID#20:
matched PR:PR_Root
2020-08-18T11:04:19.754708+02:00 aga02
httpd[28496]: [:debug] [pid 28496:tid 139640048609024] ../xss.c(44):
[client 147.2.99.206:60674] xss: Scanning
https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false, referer:
https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false
2020-08-18T11:04:19.754805+02:00
aga02 httpd[28496]: [:debug] [pid 28496:tid 139640048609024]
../xss.c(86): [client 147.2.99.206:60674]
xss:https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false
matched pattern # 1
: (?i)([s"'`;/0-9=\v\t\x0c;,(;]+on[a-zA-Z]+[s\v\t\x0c;,(;]*?=) ,
referer:
https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false
2020-08-18T11:04:19.754909+02:00
aga02 httpd[28496]: [novell_ag:info] [pid 28496:tid 139640048609024]
AM#504600000 AMDEVICEID#ag-949006FD6D159570: AMAUTHID#: AMEVENTID#20:
xss: XSS attack detected in header
Referer:https://nw65.kgast.nam.com?queryString=&ShowOnlyPersonal=false, returing
bad request
2020-08-18T11:04:19.754998+02:00 aga02 httpd[28496]:
[:debug] [pid 28496:tid 139640048609024] ../mod_auth_liberty.c(980):
[client 147.2.99.206:60674] Host Header is nw65.kgast.nam.com
Additional Information
- Telerik Fiddler
- Access Gateway running in debug mode
- httpheaders logging turned on for the Access Gateway using the following Advanced Options:
- DumpHeaders on
- DumpResponseHeaders on
- NAGGlobalOptions DebugHeaders=on
- DumpHeadersFacility local6
- DumpResponseHeadersFacility local6