https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442076#M210164 <HTML><HEAD></HEAD><BODY><P>Definetly - it is even BSP-specific.</P><P>Brian McKellar has posted some documents on that topic in SDN. I just do not have the URL at hand ...</P></BODY></HTML> Mon, 24 Jul 2006 06:48:18 GMT Wolfgang_Janzen 2006-07-24T06:48:18Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442070#M210158 <HTML><HEAD></HEAD><BODY><P>Hi security folks,</P><P></P><P>We have a scanning tool which we successfully use to anaylze development work on web applications. The main purpose is security analysis such as parameter validations etc etc.</P><P></P><P>The SAP WAS is causing problems for such analysis as the parameters / values are base64 encoded into the path, so the scanner cannot know or test it.</P><P></P><P>Does anybody know whether and where it is possible (or legal?) to deactivate this encoding, or should we just accept it as a security feature which makes our system safer?</P><P></P><P>Kind regards,</P><P>Julius</P></BODY></HTML> Wed, 19 Jul 2006 16:12:56 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442070#M210158 Former Member 2006-07-19T16:12:56Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442071#M210159 <HTML><HEAD></HEAD><BODY><P>The base64 encoding is not a security mechanism. It is used to transport special characters in URLs without using URL encoding. I do not know if there is a way to deactivate the b64 encoding but strongly doubt it.</P><P></P><P>I suppose you are refering to a web application firewall in front of your SAP WAS. Wouldn't it be possible to identify those parameters that are b64 encoded, decode them in the WAF and check the decoded values? As far as I know most of the params are not encoded and can be checked right away.</P><P></P><P>Cheers,</P><P>Christian</P></BODY></HTML> Thu, 20 Jul 2006 09:03:07 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442071#M210159 christian_wippermann 2006-07-20T09:03:07Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442072#M210160 <HTML><HEAD></HEAD><BODY><P>Thanks Christian,</P><P></P><P>I also have my doubts as OSS returns a note indicating that the government has middled with the topic. (631826 category "legal change")</P><P></P><P>The scanner is located on the front end and the user navigates around a bit so the scanner can inform itself. The encoding of parameters and values for the same directory makes it think that all URLs are unique paths - &gt; so it cannot go prowling beyond the encoded value.</P><P></P><P>The idea of the tool is not rocket science, it is used to automate some of the testing / QA (with a bit of help from human intuition) to do a high level check for known errors (scripting, injection, missing input validation etc). Never the less, is there a source on identifying a b64 encoded value and decoding it?</P><P></P><P>Many thanks for the idea,</P><P>Julius</P></BODY></HTML> Thu, 20 Jul 2006 09:40:39 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442072#M210160 Former Member 2006-07-20T09:40:39Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442073#M210161 <HTML><HEAD></HEAD><BODY><P>Hi Julius,</P><P></P><P>If you do semi-automated checks, you should find them. Strings like "Y2t3Lg==" especially if they have one or two equal signs at the end are most probably Base64 (&lt;a href="http://en.wikipedia.org/wiki/Base64"&gt;see wikipedia for some detailed explaination&lt;/a&gt;).</P><P></P><P>Be careful that besides alphanumeric characters also "+" and "/" are allowed in b64 encoded values. They will additionally be URL encoded to %2B and %2F. Before you decode b64 you need to URLdecode these values.</P><P></P><P>For occasional decoding / encoding of base64, you could use the various online tools. Just google for "&lt;a href="http://www.google.de/search?hl=de&amp;q=base64<EM>encode</EM>decode&amp;meta="&gt;base64 encode decode&lt;/a&gt;".</P><P></P><P>Hope that helped,</P><P>Christian</P></BODY></HTML> Thu, 20 Jul 2006 11:03:29 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442073#M210161 christian_wippermann 2006-07-20T11:03:29Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442074#M210162 <HTML><HEAD></HEAD><BODY><P>Hi Julius,</P><P></P><P>I'm sorry, but most likely you are on the wrong track.</P><P><A class="jive_macro jive_macro_thread" href="https://community.sap.com/" __jive_macro_name="thread" modifiedtitle="true" __default_attr="137792"></A>).</P><P></P><P>Regards, Wolfgang</P></BODY></HTML> Thu, 20 Jul 2006 12:54:58 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442074#M210162 Wolfgang_Janzen 2006-07-20T12:54:58Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442075#M210163 <HTML><HEAD></HEAD><BODY><P>Thank you Wolfgang,</P><P></P><P>Are mangled URL's a proprietary thing?</P><P></P><P>Julius</P></BODY></HTML> Thu, 20 Jul 2006 13:16:28 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442075#M210163 Former Member 2006-07-20T13:16:28Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442076#M210164 <HTML><HEAD></HEAD><BODY><P>Definetly - it is even BSP-specific.</P><P>Brian McKellar has posted some documents on that topic in SDN. I just do not have the URL at hand ...</P></BODY></HTML> Mon, 24 Jul 2006 06:48:18 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442076#M210164 Wolfgang_Janzen 2006-07-24T06:48:18Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442077#M210165 <HTML><HEAD></HEAD><BODY><P>Thank you Wolfgang.</P><P></P><P>We will try to find the decode_url and figure it out how to use it.</P><P></P><P>If the effort is worth it I will update the post.</P><P></P><P> Many thanks,</P><P>Julius</P></BODY></HTML> Mon, 24 Jul 2006 07:46:53 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442077#M210165 Former Member 2006-07-24T07:46:53Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442078#M210166 <HTML><HEAD></HEAD><BODY><P>&gt; Are mangled URL's a proprietary thing?</P><P></P><P>Here's the &lt;a href="/people/brian.mckellar/blog/2003/09/30/bsp-in-depth-url-mangling to Brian's Blog on "Mangled URLs"&lt;/a&gt;</P></BODY></HTML> Fri, 25 Aug 2006 08:20:15 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442078#M210166 Wolfgang_Janzen 2006-08-25T08:20:15Z https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442079#M210167 <HTML><HEAD></HEAD><BODY><P>Thank you Wolfgang!</P><P></P><P>From the blog: &lt;i&gt;"anyone in our group who even thinks about using frames is banished from the office for the day :-).&lt;/i&gt;"</P><P></P><P>Well, it is Friday and the sun is shining... <SPAN __jive_emoticon_name="happy"></SPAN></P></BODY></HTML> Fri, 25 Aug 2006 08:38:29 GMT https://community.sap.com/t5/application-development-and-automation-discussions/deactivate-encoding-for-analysis-purposes/m-p/1442079#M210167 Former Member 2006-08-25T08:38:29Z