For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dburnett_103851's avatar
dburnett_103851
Icon for Nimbostratus rankNimbostratus
Dec 10, 2008

9.4.5 upgrade and HTTP Protocol Compliance

We currently have F5 Big IPs within a 'live' website environment and a 'pre-live' environment.     We have recently upgraded our pre-live environment from 9.4.3 to 9.4.5.     All...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 10, 2008
A client can legitimately send a POST request with a Content-Length header value of 0. This is not against any HTTP RFC. ASM can block this as an added validation "feature". Internet Explorer seems to do this while Firefox does not. From a quick search it looks like IE might send POST requests with a Content-Length of 0 for NTLM authentication and some corner cases.

 

 

I think the reason ASM can be configured to block this is that it could be used for HTTP response splitting attacks. You can find more info on this category of attacks online:

 

 

http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt

 

 

Aaron