Forum Discussion
ryan_hamdi
Nimbostratus
NimbostratusFalse Positive Bad Unescape BIG-IP ASM
I am encountering an issue where user input containing a percentage sign (%) causes the WAF to block the request with the error message "Bad Unescape".
How can I resolve this issue while ignoring the mismatch between the Content-Type header and the body payload?
Here is an example of the HTTP request:
POST /register HTTP/1.1
Host: test.com
Content-Type: application/x-www-form-urlencoded
Cookie: TS01xx
User-Agent: xx
Connection: keep-alive
Accept: application/json
Accept-Language: id-ID,id;q
Content-Length: x
Accept-Encoding: gzip, deflate, br
{"name":"NameMe","email":"test@gmail.com","username":"test","password":"Password1%"}
Hi Ryan,
while this is a negative security violation i.e ( User Unescape ) , you can use policy microservice which enables you to allow [Evasion Technique / HTTP compliance ] False positives under specific resource such as URI.
First ask the server owner >>> if this an expected to receive % from the clients and this is the nature of the application, if so I have simulated it in a demo for you , try it.This violation will be only disabled under /register path whereas it will be triggered for any other resources under test.com.
Check that and let me know ...
amine-elhijaziAltocumulus
As I recall, there is a way to configure F5 to interpret a request as JSON, allowing the password to be passed as a parameter. Of course, you can permit any characters you want in the parameter.
To achieve this, I believe you can create a URL like /register, then specify the content type for that URL (e.g., XML, JSON, etc.).
Hope that helps! :)- amine-elhijazi
this articale should help : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html
check for Request Body Handling .
Good luck :)
