Hey,
I represent a web company, we have a simple recover your password link.
The link is built as follows:
https://example.com/ApproveResetPassword.aspx
?h=299ccda9d4be0539c0d9412ca61279f68dc78ebb
&u=9LCs%2bi7h2jf4ytFooB%2badOoz32ZgtLz1hOHInL%2bpl1Q%3d
&t=57d1899a02360d5a1010d3f2e04a6a134e6bd416.101654
the u parameter is username->encryption->base64->UrlEncoded.
After your ATP service the hyperlink inside the client sent email becomes:
https://clicktime.symantec.com/a/1/LmdzOJrlbvqcq4StoIteWAgiLcpV1domoK27CctUqSA=?d=h296INdOLLKRfG6nZijbhWZFMz3kzPjLr_eJJHBZb0r4DL5FDJGNPzSy47q48akH8g6SPwHCxYDgMfQrqfdBlMkHRLsx2VuigXoMcXJBUr6b2gMV4XcxP_onB72ojBwymal3fQ-zPY7EerqK_Q7-2oI3eZtHF_ghAbZksKfGOVPvv1t_jr34UXtaiA_Cm979PnmX3QwbmXvhUTzvv7hAwZ2sLjd-heeBE1u0rwNgtxVrxjHAj0LckmHQNfyTzHxPBC99SJWanPXc32FGlpkPJA7I7rvI7f2lY_fR59iKwyM0DEa00bg7aJO6SzzFKj2aLLRXBEC-MrEjtA_M88dYeam5nSV4Ys4%3D&u=https://fake.com/ApproveResetPassword.aspx?h%3D299ccda9d4be0539c0d9412ca61279f68dc78ebb%26u%3D9LCs%2Bi7h2jf4ytFooB%2BadOoz32ZgtLz1hOHInL%2Bpl1Q%3D%26t%3Dc901d7e0c549353574c82d739e51533c2cc75c9b.101606
Let’s examine the URL parameter:
u=https://fake.com/ApproveResetPassword.aspx?
h%3D299ccda9d4be0539c0d9412ca61279f68dc78ebb
u%3D9LCs%2Bi7h2jf4ytFooB%2BadOoz32ZgtLz1hOHInL%2Bpl1Q%3D
t%3Dc901d7e0c549353574c82d739e51533c2cc75c9b.101606
Until now everything is ok but let’s look at the redirected url:
https://fake.com/ApproveResetPassword.aspx
?h=299ccda9d4be0539c0d9412ca61279f68dc78ebb
&u=9LCs+i7h2jf4ytFooB+adOoz32ZgtLz1hOHInL+pl1Q=
&t=c901d7e0c549353574c82d739e51533c2cc75c9b.101606
Fiddlers capture: https://ibb.co/fw25BS
As you can see all the parameters in the redirected URL are not URL Encoded anymore.
I need to know if there` something from the app side to be done so that the parameters in the query string will still be URL encoded.