Web Agent Guides › Web Agent Configuration Guide › Enforce Security with URL Monitoring › Specify Bad TARGET Characters

Specify Bad TARGET Characters

You can set a list of character sequences that cannot be part of a URL request. The Web Agent treats these characters as bad TARGET characters. The Web Agent refuses URL requests that contain any of the characters or strings of characters that you include in this list. The checking is done on the URL after the "&TARGET" string. The Web Agent rejects URL requests that include such characters because a malicious web client can use such characters to evade SiteMinder rules.

When a Web Agent refuses a URL request containing a Bad TARGET character, the web server responds with one of the following messages:

• Internal Server Error
• Web Page not Found (404) Error

Check your Web Agent logs for information about how the Agent is handling requests.

Specify the characters using the following parameter:

BadUrlChars

Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur after the "&TARGET" string against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.

Default: ‘/\’ and ‘/%09/’

Enable Bad Form Characters

The following characters are commonly used in cross-site scripting attacks:

• Left and right brackets (< >)
• ampersand (&)
• quotation marks (")

If you want to use scripting code for presenting forms to a user during an authentication challenge, enable the following parameter to configure the Web Agent to block any special characters before sending them to an HTML form:

BadFormChars

Specifies the characters that the Web Agent blocks before using them as output on a form. If enabled and if the agent name part of the URL has one or more characters that are specified in this parameter, then the login page returns the following error message:

Internal Server Error

Default: Disabled (characters are not blocked)

Examples: <, >, &, %22

Limits:

• You can specify the characters literally.
• You can specify a maximum number of 4096 characters (including commas that are used for separating the characters).
• You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.
• Specify the quotes (") with the URL-encoded equivalent of %22. Do not use ASCII.

Follow these steps:

1. Log in to the Administrative UI.
2. Open the Agent Configuration Object in which you want to enable this parameter.
3. Enable the BadFormChars parameter by removing the # character in front of it.

   The BadFormChars parameter is enabled with the default values.

4. (Optional) Remove any characters that you do not want to use from the list. You can add any other character to this list. Verify that the characters are separated from one another by a comma.

Specify Bad Query Characters

To prevent certain characters the query string portion of a URL, set the following parameter:

BadQueryChars

Specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL.

Default: Empty (any characters allowed in query strings)

Limits:

• The default hexadecimal numbers apply to English characters. For other languages, remove any hexadecimal values that correspond to the characters of the language that you want to allow. Examples of such languages include (but are not limited to), Brazilian Portuguese, French, Japanese, and Chinese.
• You can specify characters literally. You can also enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
• You can specify a maximum number of 4096 characters (including commas that are used for separating characters).
• You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.
• Specify any quotation marks (") with the URL-encoded equivalent of %22. Do not use ASCII.

Example: %25 blocks URL-encoded characters in queries.

Web Agents search for prohibited characters in query strings by comparing the characters in the query string of the URL with the ASCII values of the characters defined in the BadQueryChars parameter. For an example, see the following process;

1. The BadQueryChars parameter contains the URL-encoded value for the percent symbol (%) as shown in the following example:

   %25
   

2. The Web Agent receives an HTTP request that contains the following query string:

   xxx=%0d
   

3. The Web Agent examines the URL in the previous example, but does not decode the URL-encoded values. For example, the Web Agent interprets the previous example (in Step 2) as the literal string %0d, and not as a carriage return.
4. The Web Agent examines the values in the BadQueryChars parameter, and converts them to their ASCII values. For example, the %25 in Step 1 is converted to a percent symbol (%).
5. The Web Agent compares each character in the URL against the decoded ASCII values from the BadQueryChars parameter.
6. The Web Agent blocks the request, because the ASCII percent symbol (%) exists in both of the following places:
   • The query string of the URL.
   • The decoded (ASCII) value in the BadQueryChars parameter.

To block certain characters from query strings, set the value of the BadQueryChars parameter to include the characters you want to block.