HTTP: RFC 2397 Data URL Scheme Policy


#1

Hi,
We realized the getRowEvolutionPopover requests being blocked by our IPS.
The IPS Signature desc that blocked the traffic as follows:

RFC 2397 defines a method to embed small amounts of binary data as an inline, base64-encoded element of an HTML or XML document. Some XML/HTML parsing client applications are aware of this data encoding method (the notable exception being Microsoft Internet Explorer 6.x and prior). There is a concern that an attacker can leverage this unusual encoding method to transport malicious executable code to these clients while evading screening devices which are not designed to decode these RFC 2397 data URLs.

The Url as follows:
index.php?date=2015-07-13&apiMethod=Actions.getPageUrls&label=%40%252Findex&disableLink=1&module=CoreHome&action=getRowEvolutionPopover&colors=%7B%22backgroundColor%22%3A%22%23ffffff%22%2C%22lineColor%22%3A%22%23162c4a%22%2C%22minPointColor%22%3A%22%23ff7f7f%22%2C%22maxPointColor%22%3A%22%2375bf7c%22%2C%22lastPointColor%22%3A%22%2355aaff%22%7D&idSite=7&period=day

May I seek you advice that besides adding the IPS signature to exception list, possible to change the code to avoid this IPS block?

Thanks.


(Matthieu Aubry) #2

Hi there,

the RFC mentions “base 64 encoded” data but the URL you paste that triggered the rule does not even contain base64 data, it is simply a JSON string URL encoded.