Forum Discussion

Gumshoe's avatar
Gumshoe
Icon for Altostratus rankAltostratus
Nov 30, 2023
Solved

ASM blocked request contains & (ampersand) symbol in parameter value

ASM thinks that in a parameter value the "&" and space is the beginning of a new parameter and thus blocks on AMF body context for a command execution signature and does not check the built parameter. 

Should it be recommended to the developers that they encode their "&" throughout their request to not confuse the ASM or just have them not use that charater in their input fields?

example:  &BuiltParameter=Chocolate&0x20MSG0x20

 

  • Hi Gumshoe,

    BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

    A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

    The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters. 

    & is used in a url as a parameter separator and is a reserved keyword or 

    Recommended Actions

    Use url encoding if you want & to be part of the parameter value

    The url encoded value for & is %26

    eg.

    param3=hello%20%26%20world

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

     

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

    HTH

    🙏

     

     

     

     

2 Replies

  • Hi Gumshoe,

    BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

    A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

    The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters. 

    & is used in a url as a parameter separator and is a reserved keyword or 

    Recommended Actions

    Use url encoding if you want & to be part of the parameter value

    The url encoded value for & is %26

    eg.

    param3=hello%20%26%20world

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

     

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

    HTH

    🙏