Application firewalling quandary

Question

This problem is not strictly limited to ASM, but is a more general question:&nbsp;
&nbsp;I am seeing lots of end users type things that throw an exception on the ASM (it's not in blocking mode so I'm just working through these things), for example a user hits the shift key when typing a postcode so instead of typing FT3 5AC they type FT3 percentage signAC, or they forget to shift when typing an email address and we get test'test.com, I've even had someone type -- into a date field. &nbsp;
&nbsp;So my quandary is this: I can disable these exceptions and allow the application to deal with these typos, which it does much more gracefully than the ASM can, but I have to be sure the app does it's validation correctly so that, if I allow these characters through, the app is not going to be compromised. Or I allow ASM to block these typos and potentially confuse the end user (there seems to be no way for the ASM to do anything graceful here in prompting the user as to what they have done wrong). I obviously want to block the bad guys, but I want to keep the customer who has made a typo without significantly weakening the ASM policy. How do you guys deal with situations like this?&nbsp;

hoolio · Answer

Hi Ian, 
&nbsp;  
&nbsp; The perfect scenario is if the app uses clientside Javascript to "ask" the user to not enter invalid characters, ASM is blocking with a tight configuration and the app does proper validation of the user input.  Then you can keep ASM blocking these types of violations and still give the user a good experience.  If you know the app handles validation for these fields successfully, you could relax the ASM charset either for specific parameter values or for all parameter values.  If the app doesn't do proper sanitisation of user input, I'd say it's better to block errant user-input and protect the app. 
&nbsp;  
&nbsp; I've heard preliminary discussions of the ability to strip meta-characters from specific parameter values.  You might consider talking with your account manager to put in a request for this type of functionality. 
&nbsp;  
&nbsp; Aaron

imac_105647 · Answer

Hi Aaron,&nbsp;
&nbsp;Thanks for that. I'll discuss with our webteam whether the javascript is a potential solution. I suspect that they will be reluctant (I think they are big on accessibility for our sites and javascript tends to cause problems there I believe).&nbsp;
&nbsp;Ian&nbsp;

Forum Discussion

Application firewalling quandary

2 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Same LTM Monitor applied to different Pools with Common Nodes

irule execution error

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Related Content

Mitigate AI Scraping bots using F5 Distributed Cloud Web Application Firewall

Introducing the F5 Application Study Tool (AST)

F5 Distributed Cloud WAAP - Introducing the Distributed Cloud Web Application Firewall

Application Layer DNS Firewall

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS