Working of webagent configuration parameter BadQueryChars
search cancel

Working of webagent configuration parameter BadQueryChars


Article ID: 51585


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



The webagent configuration guide for R6.x and R12.x does not describe clearly and in detail regarding the working of ACO parameter BadQueryChars.


BadQueryChars: - Specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL.

Web Agents searches for prohibited characters in query strings by comparing the characters in the query string of the URL with the ASCII values of the characters defined in the BadQueryChars parameter.

For an example, see the following process;

  1. The BadQueryChars parameter contains the URL-encoded value for the percent symbol (%) as shown in the following example:


  2. The Web Agent receives an HTTP request that contains the following query string:


  3. The Web Agent examines the URL in the previous example, but does not decode the URL-encoded values. For example, the Web Agent interprets the previous example (in Step 2) as the literal string %0d, and not as a carriage return.

  4. The Web Agent examines the values in the BadQueryChars parameter, and converts them to their ASCII values. For example, the %25 in Step 1 is converted to a percent symbol (%).

  5. The Web Agent compares each character in the URL against the decoded ASCII values from the BadQueryChars parameter.

  6. The Web Agent blocks the request, because the ASCII percent symbol (%) exists in both of the following places:

    • The query string of the URL

    • The decoded (ASCII) value in the BadQueryChars parameter

To block certain characters from query strings, set the value of the BadQueryChars parameter to include the characters you want to block.

NOTE: The same has also been updated in the webagent configuration guide for 6QMR6.


Component: SMAPC