Forum Discussion

Nimbostratus

Apr 29, 2011

ASM - False Positive Multiple Decoding Evasion Technique

I am fairly new to ASM and we have just put in place our first ASM policy. I am seeing false positives show up in reporting and customers are reporting the blocking page. The most common issue appea...

app sec

BIG-IP Access Policy Manager (APM)

security

hooleylist

Cirrostratus

Apr 29, 2011

Hi Deon,

Which ASM version are you running? I seem to remember a bug where the evasion technique logic would falsely detect extra URL encodings even when it wasn't there. I couldn't find a solution on this, but I think it was in 10.0.x. If you haven't done so, you should create a global parameter named password and allow the % metacharacter for it. I'd try to keep this set to disabled in the global param value charset.

If you're still seeing the evasion technique violation after that (which I think you will), then I'd open a case with F5 Support on this.

Aaron

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

ASM - False Positive Multiple Decoding Evasion Technique

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

WAF evasion techniques for Command Injection

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

CMS causing False Positives

Mitigating new HTTP Request Smuggling techniques with BIG-IP ASM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS