When running a Web Agent, what are the risks when allowing in URL the following character (1)?
/.
At first glance, the string /. is found in the BadUrlChars as the /. string is malformed and considered invalid or extraneous as per RFC 3986. This string should be removed and it's not expected (2).
Further, some official vulnerabilities mention a possible misuse of the /. (3)(4).
By default, the BadUrlChars has it in its value. When removing it, Web Agent won't block it anymore.
BadUrlChars //,./,/.,/*,*.,~,\,%00-%1f,%7f
If disabling BadUrlChars by commenting on it, all characters will be allowed according to the documentation (5).
(1)
Web Agent :: BadUrlChars : Impact of disabling Them
(2)
Uniform Resource Identifier (URI): Generic Syntax
3.3. Path
The path segments "." and "..", also known as dot-segments, are
defined for relative reference within the path name hierarchy.
They are intended for use at the beginning of a relative-path
reference (Section 4.2) to indicate relative position within the
hierarchical tree of names. This is similar to their role
within some operating systems' file directory structures to
indicate the current directory and parent directory,
respectively. However, unlike in a file system, these
dot-segments are only interpreted within the URI path hierarchy
and are removed as part of the resolution process (Section 5.2).
5.2.4. Remove Dot Segments
in order to remove any invalid or extraneous dot-segments prior to
forming the target URI.
B. if the input buffer begins with a prefix of "/./" or "/.",
where "." is a complete path segment, then replace that
prefix with "/" in the input buffer; otherwise,
C. if the input buffer begins with a prefix of "/../" or "/..",
where ".." is a complete path segment, then replace that
prefix with "/" in the input buffer and remove the last
segment and its preceding "/" (if any) from the output
buffer; otherwise,
(3)
This webpage is vulnerable to a reflected Cross-Site Scripting (XSS)
attack, which allows a malicious actor to inject javascript into the
web page.
[...omitted for brevity...]
Please note that the attack exploits a feature which is
not typically not present in modern browsers, who remove dot
segments before sending the request.
(4)
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before
3.1.6, the django.utils.archive.extract method (used by "startapp
--template" and "startproject --template") allows directory
traversal via an archive with absolute paths or relative paths with
dot segments.
(5)
Default: Disabled (all characters are allowed).