ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How enable %27 (')Apex character and Blocking the (')

book

Article ID: 213990

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS), when an URL has an %27 (') Apex
character, then the CA Access Gateway (SPS) returns error 403 and it
doesn't sent the request to the backend server.

 

Cause

 

We see the CA Access Gateway (SPS) blocking the request :

fiddler.saz :

Line 2 :


GET https://myserver.mydomain.com/myapp/myvariable?name=Joe+D%27Imagio&city=NewYork

  HTTP/1.1 403 Forbidden
  Date: Tue, 27 Apr 2021 14:29:52 GMT
  Server: Apache/2.4.39 (Unix) mod_jk/1.2.46

  CA Access Gateway - Error Report
  Error Details
  Request URI : /myapp/myvariable
  Error Type : SPS Exception 
  Error Code : WebAgentException 
  Error Message : Web agent has thrown error. More details in SPS logs. 

From documentation, out of the box, by default, there are 2 ACO
parameter which will block the ' character in URL : CSSChecking and
BadCSSChars :

  Help Prevent Attacks

    CSSChecking

      Enable this parameter to configure the Web Agent to scan a full URL,
      including the query string, for escaped and unescaped versions of
      the following default character set:

      left and right angle brackets (< >)
      single quote (')

      Default: Yes

      [...]

    Override the Default CSS Character Set

      By default, the agent checks for the following default cross-site
      scripting character set:

      Left and right angle brackets (< >)

      Single quote  (')

      BadCSSChars

      Default: <,',> (A comma separates the characters.)

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

 

Resolution

 

Changing the values ​​of the CSSChecking and BadCSSChars parameters to
not block ' character made the calls successful.