DataPower

DataPower

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Unable to decode on datapower which contain ".." in request payload

    Posted Mon February 13, 2023 07:29 AM

    Hello Team,

    Consumer getting "500 Internal server error" from DataPower while hitting encoded request payload which contains ".." (continues dots) in request payload.

    DataPower Cannot accept request which contains ".." in request payload.

    Please help to understand encode/decode mechanism in DataPower for same.

    Ex:

    Text: %21%40%23ABCD...EFG



    ------------------------------
    Jyoti Yadav
    ------------------------------


  • 2.  RE: Unable to decode on datapower which contain ".." in request payload

    Posted Mon February 13, 2023 09:21 AM

    Check the "URL with .." option in the "allowed methods and versions section" on the front side protocol handler. By default this option is disabled.



    ------------------------------
    Charlie Sumner
    ------------------------------

    Original Message


  • 3.  RE: Unable to decode on datapower which contain ".." in request payload

    Posted Tue February 14, 2023 10:21 AM

    Hello Charlie,

    Thank you for support. Now we are able to process dotdot (..) with Request parameter. 

    By default this option is disabled, is their any impact or issue if we enable "URL with .." option.

    As per below article, option is disabled because of security concern. Please help how to overcome mentioned security issue if we enable "URL with .." option in front side handler settings

    https://www.ibm.com/support/pages/handling-urls-containing-dotdot-datapower-part-api-connect



    ------------------------------
    Jyoti Yadav
    ------------------------------

    Original Message


  • 4.  RE: Unable to decode on datapower which contain ".." in request payload

    Posted Wed February 15, 2023 10:41 AM

    Hi,

    without knowing your specific use case we can only give some generic guidance. The use of '..' is usually associated with Path Traversal attack as mentioned in the support article you linked in your post. The OWASP site linked below contains some ideas on how to prevent these kinds of attacks from happening. In short, if you cannot filter the dangerous bits, always validate the input given by the user and accept only known good. 

    https://owasp.org/www-community/attacks/Path_Traversal 



    ------------------------------
    Hermanni Pernaa
    ------------------------------

    Original Message


Related Content