Forum Discussion

Deon's avatar
Deon
Icon for Nimbostratus rankNimbostratus
Apr 29, 2011

ASM - False Positive Multiple Decoding Evasion Technique

I am fairly new to ASM and we have just put in place our first ASM policy. I am seeing false positives show up in reporting and customers are reporting the blocking page. The most common issue appears to be that the user has entered a percent symbol as part of an input parameter. In most cases it is the password entry parameter. The percent symbol is encoded as %25 by the browser. ASM decodes the %25 and then it notices the percent still there so it then thinks the user has encoded the value twice. In this case it is not that it has been encoded twice but the parameter value actually has a percent symbol in it. What is the workaround in ASM to allow for parameter values to contain a percent symbol?

 

 

Thanks

 

-Deon

 

  • Hi Deon,

     

     

    Which ASM version are you running? I seem to remember a bug where the evasion technique logic would falsely detect extra URL encodings even when it wasn't there. I couldn't find a solution on this, but I think it was in 10.0.x. If you haven't done so, you should create a global parameter named password and allow the % metacharacter for it. I'd try to keep this set to disabled in the global param value charset.

     

     

    If you're still seeing the evasion technique violation after that (which I think you will), then I'd open a case with F5 Support on this.

     

     

    Aaron
  • Well I think you can allow multiple decoding in Evasion Technique violations. Try making it 3 or 4 and test.

     

  • Hello Josh, I realised it after your comment but nevertheless the problem and solution still matched for this post and can help anyone who visit this page.

     

  • MSZ's avatar
    MSZ
    Icon for Nimbostratus rankNimbostratus

    What will happen if we make it 3? How it will act?