Web Agent Guides › Web Agent Configuration Guide › Enforce Security with URL Monitoring › Specify Bad Query Characters

Specify Bad Query Characters

To prevent certain characters the query string portion of a URL, set the following parameter:

• BadQueryChars

  Specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL.

  Default: Empty (any characters allowed in query strings)

  Limits:

  • You can specify characters literally or enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
  • You can specify a maximum number of 4096 characters (including commas used for separating characters).
  • You can specify ranges of characters separated by a hyphen. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.
  • Specify quotes (") with the URL-encoded equivalent of %22. Do not use ASCII.

  Example: %25 blocks URL-encoded characters in queries.

Web Agents search for prohibited characters in query strings by comparing the characters in the query string of the URL with the ASCII values of the characters defined in the BadQueryChars parameter. For an example, see the following process;

1. The BadQueryChars parameter contains the URL-encoded value for the percent symbol (%) as shown in the following example:

   %25
   

2. The Web Agent receives an HTTP request that contains the following query string:

   xxx=%0d
   

3. The Web Agent examines the URL in the previous example, but does not decode the URL-encoded values. For example, the Web Agent interprets the previous example (in Step 2) as the literal string %0d, and not as a carriage return.
4. The Web Agent examines the values in the BadQueryChars parameter, and converts them to their ASCII values. For example, the %25 in Step 1 is converted to a percent symbol (%).
5. The Web Agent compares each character in the URL against the decoded ASCII values from the BadQueryChars parameter.
6. The Web Agent blocks the request, because the ASCII percent symbol (%) exists in both of the following places:
   • The query string of the URL.
   • The decoded (ASCII) value in the BadQueryChars parameter.

To block certain characters from query strings, set the value of the BadQueryChars parameter to include the characters you want to block.