Forum Discussion

Nimbostratus

Dec 10, 2008

9.4.5 upgrade and HTTP Protocol Compliance

We currently have F5 Big IPs within a 'live' website environment and a 'pre-live' environment. We have recently upgraded our pre-live environment from 9.4.3 to 9.4.5. All...

app sec

BIG-IP Access Policy Manager (APM)

security

hoolio

Cirrostratus

Dec 16, 2008

I think the main concern for HTTP response splitting is if the application uses any user-supplied content in response headers. It would be ideal if you could disable the CR and LF characters for all four global character sets and only allow it where required for specific parameters. If that's not an option, you could leave CR and LF enabled for the global parameter. But then you're potentially opening yourself up to an attack if the application is vulnerable.

Either way, if you have legitimate client requests where they set the Content-Length to 0, you would need to disable that check.

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)