Web Agent :: BadURLChars : %25 Risks

Document ID : KB000048369
Last Modified Date : 14/02/2018
Show Technical Document Details


I would like to know the risks to remove "%25" from BadURLChars on a Web Agent Reverse Proxy. I have some applications conflicting and I would like to remove this configuration.


%25 is encoded character "%", which is an escape character, which mean that it could transport another character. This character is blocked by default in the BadURLChars as if it is allowed, when decoded, it may pass an encoded character to the application, which known as "multiple decoding" issue. Then the application might receive an encoded character which is decoded at the application level and the application might not expect this character.

As you probably know already, there is a lot of sample like this one on the internet.

The character is sent in the URL :


which will be decoded at the Web Server level as


and may be then decoded by the application once again as


as for this well known sample :


Host execution: dir c:\

the directory list of C:\is revealed


Usually, we see this kind of request because some links deserved through a Reverse Proxy are containing space characters. The problem is that by the Apache Reverse Proxy, the URL is not decoded, and thus the escape character is cached :


Unfortunately, there is no other solution than to change the URL's or to disable the check for the %25, but taking care that the backend application will handle this kind of characters.