Hi Everyone,

I am trying to understand the pdweb.snoop trace format. Here is a snippet of the pdweb.snoop.log file, after decoding the same using the pdweb-snoop-viewer provided in IBM GitHub. 

Tying to figure out, what does the number 61 represents in the response body.



I am getting some token requests and the post body in a similar format. Which eventually, fails with a error code FBTOAU202E complaining about the missing required parameters (grant_type and client_id). 

Upon further investigation found, these requests don't get processed by STS and the <Parameters> in the HTTPRequestClaims of STSUU is empty. Hence, ISAM throws an error.


------------------------------
Biswajit Sahoo
------------------------------

Hello,

These hex values in the body are related to "chunked" encoding.  This is used as alternative to sending a content-length header and is useful when streaming because it means you don't need to supply the content-length at the start (when you don't know what it will be).  It also allows connections to stay open (keepalive) which is more efficient at the TCP layer.

For example, length of this text:
{"error":"invalid_request","error_description":"FBTOAU202E The required parameter: [grant_type] was not found in the request."}
is 127 characters.  This is 0x7F in Hex.

Unless you see something to indicate that application code is receiving these values, you can probably assume they are being consumed by the HTTP layer and are not affecting operation.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed July 15, 2020 07:17 AM
From: Biswajit Sahoo
Subject: ISAM - Empty Parameters in STSUU HTTPRequestClaims

Hi Everyone,

I am trying to understand the pdweb.snoop trace format. Here is a snippet of the pdweb.snoop.log file, after decoding the same using the pdweb-snoop-viewer provided in IBM GitHub. 

Tying to figure out, what does the number 61 represents in the response body.

Request:
2020-07-14-09:55:55.442+00:00I----- thread(47) trace.pdweb.snoop.client:1 /home/webseal/20151013-1844/src/pdwebrte/webcore/amw_snoop.cpp:190:

POST /mga/sps/oauth/oauth20/token HTTP/1.1

accept: text/html, image/gif, image/jpeg, */*; q=.2

content-type: application/x-www-form-urlencoded; charset=UTF-8

client_id=CLIENTID&client_secret=SECRET&grant_type=password&username=user@example.com&password=PASSWORD&scope=SCOPE

Response:

Receiving 525 bytes

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store, no-cache=set-cookie

61

{"access_token":"xxxxxxxxxxx","scope":"SCOPE","token_type":"bearer","expires_in":869}

I am getting some token requests and the post body in a similar format. Which eventually, fails with a error code FBTOAU202E complaining about the missing required parameters (grant_type and client_id). 

Upon further investigation found, these requests don't get processed by STS and the <Parameters> in the HTTPRequestClaims of STSUU is empty. Hence, ISAM throws an error.

Request (pdweb.snoop) :
2020-07-14-09:55:54.956+00:00I----- thread(46) trace.pdweb.snoop.client:1 /home/webseal/20151013-1844/src/pdwebrte/webcore/amw_snoop.cpp:164:
POST /mga/sps/oauth/oauth20/token HTTP/1.1
accept: text/html, image/gif, image/jpeg, */*; q=.2
content-type: application/x-www-form-urlencoded; charset=utf-8

e9
client_id=CLIENTID&client_secret=SECRET&grant_type=password&username=user@example.com&password=PASSWORD&scope=SCOPE
0

Response (pdweb.snoop) :
Receiving 527 bytes
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store, no-cache=set-cookie

7f
{"error":"invalid_request","error_description":"FBTOAU202E The required parameter: [grant_type] was not found in the request."}

STSUU Snippet:

<HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">	<Attributes>		----- Attributes ----	</Attributes>	<Headers>		<Header Name="iv-user" Type="urn:ibm:names:ITFIM:httprequest:headers">					<Value>Unauthenticated</Value>		</Header>		<Header Name="content-type" Type="urn:ibm:names:ITFIM:httprequest:headers">					<Value>application/x-www-form-urlencoded; charset=utf-8</Value>		</Header>				----- Other Headers ----			</Headers>	<Cookies/>	<Parameters/></HTTPRequestClaims>​

My assumption is, in this case the client credentials (client id/secret, grannt_type) are sent to WebSEAL as JSON, hence are not processed properly.

But the wrapped integers of the post body are random for each request (e9, 0, 7f in this case). So trying to understanding, what is the significant of these values.

Thanks in Advance.

------------------------------
Biswajit Sahoo
------------------------------