Web Agent not blocking ACO BadCSSChars characters defined
search cancel

Web Agent not blocking ACO BadCSSChars characters defined

book

Article ID: 126375

calendar_today

Updated On:

Products

CA Single Sign-On CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

In certain environments, the Web Agent fails to correctly initialize the BadCSSChars parameter (or other character-filtering parameters), resulting in the Agent failing to block the prohibited characters listed in the Agent Configuration Object (ACO).

Symptoms:

  • The Web Agent accepts URLs containing encoded characters (e.g., %3b for ;) that should be explicitly blocked by BadURLChars.
  • This behavior extends to other filtering parameters, including BadFormChars, BadQueryChars, and BadCSSChars.
  • The Web Agent logs may not explicitly show an error, but security filtering is effectively bypassed.

Environment

  • Component: SiteMinder Web Agent
  • Component: CA Access Gateway (SPS)
  • Versions: All supported versions

Cause

The issue is caused by the presence of invalid or non-standard UTF-8 characters within the ACO parameter value.

Specifically, when exporting Policy Store data and comparing working versus non-working configurations, hidden characters such as 0xE2 0x80 0x99 (the UTF-8 representation of a "Smart Quote" or "Right Single Quotation Mark" —) are often found (1).

The Web Agent expects standard ASCII/UTF-8 single quotes ('). When it encounters the "strange" single quote (), the initialization of the character string fails, causing the Agent to ignore the filtering logic for that parameter.

Resolution

To resolve this issue, manually clean the affected ACO parameters to ensure no hidden or "smart" UTF-8 characters are present.

  1. Log into the Administrative UI.
  2. Navigate to Infrastructure > Agent Configuration Objects.
  3. Open the affected ACO.
  4. Locate the parameter (e.g., BadCSSChars, BadURLChars) (2).
  5. Delete the existing value and manually re-type the string.
  6. Note: Do not copy-paste from Word, Outlook, or PDF documents, as these applications often "auto-correct" standard quotes into "Smart Quotes" ().
  7. Ensure that only the standard single quote (') is used if a quote is required in the filter.
  8. Save the ACO.
  9. Restart the Web Server or wait for the ACO poll interval to update the Agent.

Additional Information

  1. UTF-8 Encoding Debugging Chart

  2. Protect Web Sites Against Cross-Site Scripting

Powered by Wolken Software