We have a custom login page deployed and it looks like when you put in a script in the URL like = accesskey="x"onclick="alert(1)"//
can pop up with a error.
We were able to reproduce this only in Firefox and not on any other browsers. How can we prevent this type of attack.
The Web Agent had not been configured to block the risky characters used in the attack, namely the double quote character (%22).
Release : ALL
Component : SITEMINDER -WEB AGENT FOR APACHE
Add %2522 to the BadQueryChars ACO parameter to block use of double quotes in request query strings. Alternatively, %22 can be added to the BadURLChars ACO parameter.