How enable %27 (')Apex character and Blocking the (')
search cancel

How enable %27 (')Apex character and Blocking the (')


Article ID: 213990


Updated On:


SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)



When running CA Access Gateway (SPS), when an URL has an %27 (') Apex
character, then the CA Access Gateway (SPS) returns error 403 and it
doesn't sent the request to the backend server.




We see the CA Access Gateway (SPS) blocking the request :

fiddler.saz :

Line 2 :


  HTTP/1.1 403 Forbidden
  Date: Tue, 27 Apr 2021 14:29:52 GMT
  Server: Apache/2.4.39 (Unix) mod_jk/1.2.46

  CA Access Gateway - Error Report
  Error Details
  Request URI : /myapp/myvariable
  Error Type : SPS Exception 
  Error Code : WebAgentException 
  Error Message : Web agent has thrown error. More details in SPS logs. 

From documentation, out of the box, by default, there are 2 ACO
parameter which will block the ' character in URL : CSSChecking and
BadCSSChars :

  Help Prevent Attacks


      Enable this parameter to configure the Web Agent to scan a full URL,
      including the query string, for escaped and unescaped versions of
      the following default character set:

      left and right angle brackets (< >)
      single quote (')

      Default: Yes


    Override the Default CSS Character Set

      By default, the agent checks for the following default cross-site
      scripting character set:

      Left and right angle brackets (< >)

      Single quote  (')


      Default: <,',> (A comma separates the characters.)




Changing the values ​​of the CSSChecking and BadCSSChars parameters to
not block ' character made the calls successful.