Previous Topic: How to Protect Resources Without Periods or ExtensionsNext Topic: IIS 6.0 Servers and BadURLChars Settings


Handle Complex URIs

The DisableDotDotRule parameter determines whether or not the Web Agent automatically authorizes a URI that contains two dots separated by a slash (/).

Default: No

If the DisableDotDotRule is set to yes, the Agent does not apply the double dot rule. For example, if the URI is:

If the DisableDotDotRule is set to no, the default, the Web Agent applies the double-dot rule. The Web Agent challenges requests for the following URIs, passing the request to the Policy Server:

Important! Avoid creating the possibility for unauthorized access when you use the IgnoreExt and DisableDotDotRule parameters together. For example, if you want to protect /dir1/app.pl, but you set the DisableDotDotRule parameter to yes, the Agent ignores the URI /dir1/app.pl/file1.gif because you have disabled the double-dot rule and included .gif in the IgnoreExt parameter. Consequently, an unauthorized user may access the protected application /dir1/app.pl.

Specify Bad URL Characters

You can list a set of character sequences that cannot be part of a URL request. These are treated by the Agent as bad URL characters. The Web Agent will refuse URL requests that contain any of the characters or strings of characters that you include in this list. The checking is done on the URL before the "?" character. The Web Agent rejects URL requests that include such characters because a malicious Web client might use such characters to evade SiteMinder rules.

When a Web Agent refuses a URL request containing a Bad URL character, the web server responds with one of the following messages:

Check your Web Agent logs for information on how the Agent is handling requests.

You specify the characters with the following parameter:

BadUrlChars

Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.

You can specify the following characters:

Separate multiple characters with commas. Do not use spaces.

You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.

Default: //,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25

Limits:

To specify Bad URL characters, edit the value of the BadURLChars parameter to include the characters that you want to block.

Note: When configuring the Apache 2.0 Reverse Proxy Server and Outlook Web Access (OWA), be sure to turn off the BadURLChars parameter. OWA allows unrestricted characters in the email subject that might be listed in the BadURLChars parameter.

More Information

Types of Reverse Proxy Solutions