Web Agent :: BadUrlChars : Impact of disabling Them

Document ID : KB000048382
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

What are the implications of disabling the default BadUrlChars ?

Solution:

BadUrlChars by default is set to block these :

//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25

Usually, if disabled, these default characters may help an attacker to insert code to :

  • Get the session from another user;
  • Overload the target server and make it unresponsive;

SiteMinder documentation does not provide any list of possible security holes that each character may allow if it is not blocked, for the simple reason that the number of languages and code practice are almost unlimited as the OWASP underline:

"The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site."

(https://www.owasp.org/index.php/XSS)

But, you could have description of potential security risks about each of the characters you may want to allow by running a so called "Vulnerability Scanner". Usually this kind of scanner will give you more indication about the cross scripting holes present in your environment.