ASM - False Positive Multiple Decoding Evasion Technique

Question

I am fairly new to ASM and we have just put in place our first ASM policy.  I am seeing false positives show up in reporting and customers are reporting the blocking page.  The most common issue appears to be that the user has entered a percent symbol as part of an input parameter.  In most cases it is the password entry parameter.  The percent symbol is encoded as %25 by the browser.  ASM decodes the %25 and then it notices the percent still there so it then thinks the user has encoded the value twice.  In this case it is not that it has been encoded twice but the parameter value actually has a percent symbol in it.  What is the workaround in ASM to allow for parameter values to contain a percent symbol?&nbsp;
&nbsp;Thanks
&nbsp;-Deon&nbsp;

hooleylist · Answer

Hi Deon, 
&nbsp;  
&nbsp; Which ASM version are you running?  I seem to remember a bug where the evasion technique logic would falsely detect extra URL encodings even when it wasn't there.  I couldn't find a solution on this, but I think it was in 10.0.x.  If you haven't done so, you should create a global parameter named password and allow the % metacharacter for it.  I'd try to keep this set to disabled in the global param value charset. 
&nbsp;  
&nbsp; If you're still seeing the evasion technique violation after that (which I think you will), then I'd open a case with F5 Support on this. 
&nbsp;  
&nbsp; Aaron

avnashish_30238 · Answer

Well I think you can allow multiple decoding in Evasion Technique violations. Try making it 3 or 4 and test. &nbsp;

joshbecigneul · Answer

Hi Avnashish, did you realize that this original thread was from the year 2011?&nbsp;

avnashish_30238 · Answer

Hello Josh, I realised it after your comment but nevertheless the problem and solution still matched for this post and can help anyone who visit this page. &nbsp;

msz · Answer

Great&nbsp;

Forum Discussion

ASM - False Positive Multiple Decoding Evasion Technique

6 Replies

Recent Discussions

TELEGRAMA @CANNAUNION DINERO FALSO 💸✔💸

Handling IP Geolocation Conflicts with AWAF for Internal LAN Addresses

F5 AWAF with HTTP/2, MRF and Websocket profiles

What parameter sections can be checked to find out the cause of slow GUI access?

Issue with worker_connections limits in Nginx+

Related Content

WAF evasion techniques for Command Injection

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

CMS causing False Positives

Handle False Positive for files upload

Mitigating new HTTP Request Smuggling techniques with BIG-IP ASM