Web Agent :: BadUrlChars : Impact of disabling Them
search cancel

Web Agent :: BadUrlChars : Impact of disabling Them


Article ID: 48382


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)



What are the implications of disabling the default BadUrlChars?




Web Agent 12.52SP1CR10 on Apache 2.4.16 on RedHat 7;




BadUrlChars by default is set to block these:


Usually, if disabled, these default characters may help an attacker to insert code to:

  • Get the session from another user;
  • Overload the target server and make it unresponsive;

SiteMinder documentation does not provide any list of possible security holes that each character may allow if it is not blocked, for the simple reason that the number of languages and code practice is almost unlimited as the OWASP underline (1).   

But, running a so-called "Vulnerability Scanner" will provide an accurate description of all the potential security risks. Usually this kind of scanner will give more indication about the cross scripting holes present in the environment.


Additional Information



    Cross-site scripting (XSS)