Forum Discussion

Gumshoe's avatar
Gumshoe
Icon for Altostratus rankAltostratus
Nov 30, 2023

ASM blocked request contains & (ampersand) symbol in parameter value

ASM thinks that in a parameter value the "&" and space is the beginning of a new parameter and thus blocks on AMF body context for a command execution signature and does not check the built parameter...
  • F5_Design_Engineer's avatar
    Nov 30, 2023

    Hi Gumshoe,

    BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

    A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

    The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters. 

    & is used in a url as a parameter separator and is a reserved keyword or 

    Recommended Actions

    Use url encoding if you want & to be part of the parameter value

    The url encoded value for & is %26

    eg.

    param3=hello%20%26%20world

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

     

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

    HTH

    🙏