Enabling %27 (') Apex character and blocking the (') in Web Agent

search cancel

Enabling %27 (') Apex character and blocking the (') in Web Agent

book

Article ID: 213990

calendar_today

Updated On: 04-14-2025

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

When running CA Access Gateway (SPS), when an URL has an %27 (') Apex character, then the CA Access Gateway (SPS) returns error 403 and it doesn't send the request to the backend server.

Cause

The CA Access Gateway (SPS) blocks actually the request:

browser.saz:

Line 2:

GET https://server.example.com/<app>/<variable>?name=<name>%27<resource>&name=<value>

HTTP/1.1 403 Forbidden
Date: Tue, 27 Apr 2021 14:29:52 GMT
Server: Apache/2.4.39 (Unix) mod_jk/1.2.46

CA Access Gateway - Error Report
Error Details
Request URI : /<app>/<variable>
Error Type : SPS Exception 
Error Code : WebAgentException 
Error Message : Web agent has thrown error. More details in SPS logs.

Out of the box, by default, there are 2 ACO parameters that will block the ' character in URL:

CSSChecking and BadCSSChars (1).

Resolution

Changing the values of the CSSChecking and BadCSSChars parameters to not block ' character made the calls successful.

Additional Information

Help Prevent Attacks

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No