Backslash character ?\? (0x5C) in a form can be detected by BadFormChars

Document ID : KB000011546
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

BadFormChars is an Agent Configuration Object parameter to specify the characters that the Web Agent blocks before using them as output on a form.

Question:

If a backslash character ‘\’ (0x5C) is set to BadFormChars, does Web Agent block both of ‘\’ and ‘%5c’ in the form data?

Environment:
CA Single Sign-On r12.5xOS: Linux/SolarisAll Web server
Answer:

Yes. Web Agent blocks both of ‘\’ and ‘%5c’ in the form data.

 

Example:

A POST method request to FCC-based Password Services (smpwservices.fcc) is intercepted and modified so that the username field contains '\'. In this case, username is ‘Mikel\foo'.

 

ACO parameter settings:

badformchars='\'.

or

badformchars='%5c'.

 

Web Agent trace log shows below message (snippet):

[SmFCC.cpp:2184][SmFcc::buildOutputForm]…..[BadFormChars found substituting Mikel\foo' for variable 'username', data blocked.]

 

Notes: This is not applicable to the 'username' field in login.fcc.