Forum Discussion
Deon
Nimbostratus
NimbostratusASM - False Positive Multiple Decoding Evasion Technique
I am fairly new to ASM and we have just put in place our first ASM policy. I am seeing false positives show up in reporting and customers are reporting the blocking page. The most common issue appears to be that the user has entered a percent symbol as part of an input parameter. In most cases it is the password entry parameter. The percent symbol is encoded as %25 by the browser. ASM decodes the %25 and then it notices the percent still there so it then thinks the user has encoded the value twice. In this case it is not that it has been encoded twice but the parameter value actually has a percent symbol in it. What is the workaround in ASM to allow for parameter values to contain a percent symbol?
Thanks
-Deon
hooleylistCirrostratus
Hi Deon,
Which ASM version are you running? I seem to remember a bug where the evasion technique logic would falsely detect extra URL encodings even when it wasn't there. I couldn't find a solution on this, but I think it was in 10.0.x. If you haven't done so, you should create a global parameter named password and allow the % metacharacter for it. I'd try to keep this set to disabled in the global param value charset.
If you're still seeing the evasion technique violation after that (which I think you will), then I'd open a case with F5 Support on this.
Aaron
avnashish_30238Well I think you can allow multiple decoding in Evasion Technique violations. Try making it 3 or 4 and test.
Hi Avnashish, did you realize that this original thread was from the year 2011?
- avnashish_30238
Hello Josh, I realised it after your comment but nevertheless the problem and solution still matched for this post and can help anyone who visit this page.
MSZGreat
- MSZ
What will happen if we make it 3? How it will act?
