This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"+" Character in Referer = Site not reachable

Dear all,

i have a very strange problem. We have a Website, which can be accessed via internet over WAF with a "+" character in URL parameter. This site can be accessed normally but if you choose a link from there, the "+" character is not visible in the referer field and causes the site to be not reachable. I did a tcpdump, where the problem is more visible:

GET / HTTP/1.1
Host: host.domain.de
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1
Accept-Language: de-de
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Date: Thu, 20 Feb 2020 15:26:04 GMT
Server: Apache
Cache-Control: max-age=691200
Content-Type: text/html;charset=ISO-8859-1
Last-Modified: Wed, 19 Feb 2020 13:57:24 GMT
Accept-Ranges: bytes
ETag: "a55184832ce7d51:0"
X-Powered-By: ASP.NET
Content-Length: 121
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive

<html><body>
<a href="index2.html?example=one+two">Test-Site (This Site should load)</a>
</body></html>GET /index2.html?example=one+two HTTP/1.1
Host: host.domain.de
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1
Referer: http://host.domain.de/
Accept-Language: de-de
Accept-Encoding: gzip, deflate

HTTP/1.1 200 OK
Date: Thu, 20 Feb 2020 15:26:07 GMT
Server: Apache
Cache-Control: max-age=691200
Content-Type: text/html;charset=ISO-8859-1
Last-Modified: Wed, 19 Feb 2020 13:58:01 GMT
Accept-Ranges: bytes
ETag: "ba598d992ce7d51:0"
X-Powered-By: ASP.NET
Content-Length: 151
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive

<html><body>
<p>Now we have a + character in URL</p>
<a href="test.html">Test-Site (This site should not load anymore)</a>
</body></html>GET /test.html HTTP/1.1
Host: host.domain.de
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1
Referer: host.domain.de/index2.html two
Accept-Language: de-de
Accept-Encoding: gzip, deflate

The colloring is from Wireshark.

We are using Sophos UTM SG450 / 9.701-6

 

Hopefully someone can help.

 

Best Regards
Alex



This thread was automatically locked due to age.
Parents Reply Children