Symantec Access Management

What is the default list of CSS characters Siteminder checks for?

When we set CSSChecking to "YES" in ACO.

Configure the Web Agent to Check For Cross Site-Scripting

To instruct the Web Agent to check a URL for characters that may be part of an executable script, set the CSSChecking parameter to yes. By enabling this parameter, the Web Agent scans a full URL, including the query string, for escaped and unescaped versions of the following default character set:

• left and right angle brackets (< and >)
• single quote (')

https://wiki.ca.com/display/sm1252sp1/Help+Prevent+Attacks#HelpPreventAttacks-ConfiguretheWebAgenttoCheckForCrossSite-Sc…

Regards

Hubert

If one wishes to modify the list, this could be done via ACO parameter "BadCSSChars"

https://wiki.ca.com/display/sm1252sp1/Help+Prevent+Attacks#HelpPreventAttacks-ProtectWebSitesAgainstCross-SiteScripting

NOTE : A Complete list and description of ACO parameters is listed here.

https://wiki.ca.com/display/sm1252sp1/List+of+Agent+Configuration+Parameters

Regards

Hubert

Has the list of default character set changed? I found an old note from a previous go around with this that listed the following characters as the default

<,>,',;,),(,&,+,%00

Guess it doesn't matter if it has changed. It is what it is today. Just curious.

You can disregard that last question. Those are Bad URL Characters

Thank You, if it helped the query and no further queries on the same, Please close the thread.