Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Ted-Nordvall's avatar
Ted-Nordvall
Icon for Altocumulus rankAltocumulus
May 21, 2026

APM URL encoding Hardening?

Some companies still use on-prem Sharepoint.. and Sharepoint is what it is. We have had multiple servers deployed for quite some while now with ASM tuned for its quirks and so on. However - after u...
management
security
sharepoint
Jeff_Granieri's avatar
Jeff_Granieri
Icon for Employee rankEmployee
May 21, 2026

Hi Ted-Nordvall​

 

I used our F5 Irules Assistant Video  to help analyze your current irule, functionally it works fine.  Putting on a security cap probably a good idea to have AWAF on this VS as well to help with the HTTP compliance and signature matching at a bare minimum.   I did look at some possible enhancements to secure up the iRule - 

when RULE_INIT {
  # Build map once. Note: in a braced list, "\" = literal '\', "\{" = '{', etc.
  # \r and
  MUST be encoded to prevent CRLF / smuggling.
  set static::uri_encode_map [list \
  "\{" "%7B"  "\}" "%7D"  "|" "%7C"  "\" "%5C" \
  "^"  "%5E"  "\`" "%60"  " " "%20"  """ "%22" \
  "<"  "%3C"  ">"  "%3E"  "\r" "%0D" "
  " "%0A" \
  "\x00" "%00" "\x01" "%01" "\x02" "%02" "\x03" "%03" \
  "\x04" "%04" "\x05" "%05" "\x06" "%06" "\x07" "%07" \
  "\x08" "%08" "\x09" "%09" "\x0B" "%0B" "\x0C" "%0C" \
  "\x0E" "%0E" "\x0F" "%0F" "\x7F" "%7F"]
}

when HTTP_REQUEST {
  set orig_uri [HTTP::uri]
  set new_uri  [string map $static::uri_encode_map $orig_uri]
  if { $new_uri ne $orig_uri } {
    HTTP::uri $new_uri
  }
}

And here is what our AI assistant had to say about it:

 

AI Assistant 09:29 am

Objective

• Ensure that any unsafe or smuggling‐prone characters in the incoming HTTP request URI are percent-encoded before being sent to the pool member.

• Build a static lookup map once at rule initialization to translate braces, control characters, whitespace, and other disallowed bytes into their “%XX” forms.

• On each HTTP request, compare the original URI to its encoded version and update it if any translation occurred.

 

Execution Flow

• RULE_INIT event

– Runs when the iRule is loaded.

– Uses set static::uri_encode_map [list …] to construct a list of character-to-percent-encoding pairs in a static variable.

• HTTP_REQUEST event

– Triggers after full parsing of client HTTP headers (per docs for HTTP_REQUEST).

– set orig_uri [HTTP::uri] retrieves the raw path and query string.

– set new_uri [string map $static::uri_encode_map $orig_uri] applies all mappings from the static map.

– If the mapped URI differs (if { $new_uri ne $orig_uri }), call HTTP::uri $new_uri to set the rewritten URI toward the server.

 

Overall summary: This iRule cleanly builds a reusable encoding map at initialization and applies it on each HTTP request to neutralize potential CRLF or directory-traversal threats, using documented BIG-IP iRule commands as intended.

Please test in non-prod environment/qa.  Hope it helps