Webagent does not block Cross site scripting character in URL, if entered in UTF-8 encoding format.

Document ID : KB000051621
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When CSS checking is enabled in web-agent and a request is made to GET a page from web-server, web-agent intercepts the URL and checks if the URL contains characters from the list of BadCssChars defined in ACO setting. In case URL contains Bad CSS chars, web-agent blocks the URL.

Web-agent URL parser for this functionality is written such that web-agent is able to find any Bad CSS char existing in URL in form of ASCII char or in Hexadecimal format.

But web-agent not interprets and blocks CSS characters in URL in UTF-8 format.
I.e. If CSS checking is enabled and any Bad CSS character is entered in URL in UTF-8 encoding form, then web-agent does not block that request URL containing UTF-8 character sequence.

Solution:

In order to block CSS characters entered in UTF-8 encoding in the URL, a new ACO parameter DisallowUtf8NonCanonical has been introduced in R12-SP2-CR-01 and 6.0-SP6.
When this ACO parameter DisallowUtf8NonCanonical is set to "yes" and CSSChecking is enabled then all URLs containing UTF-8 character sequences as well as characters from BadCssChars list will be blocked.
Whereas when this ACO parameter DisallowUtf8NonCanonical is set to "no" and CSSChecking is enabled then all URLs containing UTF-8 characters sequences will be allowed in URL and only the characters from BadCssChars will be blocked.

NOTE: - This functionality works only in case CSSChecking is enabled.