Web Agent :: BadUrlChars : Impact of disabling Them
search cancel

Web Agent :: BadUrlChars : Impact of disabling Them

book

Article ID: 48382

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

What are the implications of disabling the default BadUrlChars?

 

Environment

 

Web Agent 12.52SP1CR10 on Apache 2.4.16 on RedHat 7;

 

Resolution

 

BadUrlChars by default is set to block these:

  //,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25

Usually, if disabled, these default characters may help an attacker to insert code to:

  • Get the session from another user;
  • Overload the target server and make it unresponsive;

SiteMinder documentation does not provide any list of possible security holes that each character may allow if it is not blocked, for the simple reason that the number of languages and code practice is almost unlimited as the OWASP underline (1).   

But, running a so-called "Vulnerability Scanner" will provide an accurate description of all the potential security risks. Usually this kind of scanner will give more indication about the cross scripting holes present in the environment.

 

Additional Information

 

(1)

    Cross-site scripting (XSS)