URL contains BadQueryChars: '/myURI/MyServlet;variable=value'

Article Id: 77169
Status: Published
Updated On: 05-07-2018 03:41
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On
Issue/Introduction:

We have a Web Agent protecting an application, and we are getting the following errors when accessing the URL '/myURI/MyServlet;variable=value': 

"URL contains invalid characters. Exiting with HTTP 500 server error '00-0002'."

In our ACO we have defined the following parameters: 
BadUrlChars=//,./,/.,/*,*.,~,/,%00-%1f,%7f-%ff,%25
BadQueryChars=<,>,;,),(,+,%00

Doing some tests we have noticed that when we remove the semicolon character from the BadQueryChars then we can access the URL above, but as there is no query string in the URL we don't know why it is complaining about BadQueryChars, as we don't even have the semicolon defined in the BadUrlChars parameter.
 

Cause:

As per the documentation, BadQueryChars "specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL."
When the URL does not contain a '?' character, the Agent is actually checking the whole URL for BadQueryChars

Environment:

Web Agent R12.52 SP1 CR05

Resolution:

This issue is fixed in Web Agent R12.52 SP1 CR09. Upgrade to that version to fix this issue.
 

Web Agent

 
00932392DE340263

The BadQueryChars ACO parameter incorrectly checks the entire URL if there is no query string.


https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09

 

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-SpecifyBadQueryCharacters
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-SpecifyBadURLCharacters