That really depends on your filter set. Essentially they are using encoded characters to manipulate the request:- %5B is an encoded [- %7D is an encoded }If you look in your dispatcher.log you'll see which filter rule allows that request through.  See what it allows and then you can start to underst...