Forum Discussion

Altostratus

Nov 30, 2023

ASM blocked request contains & (ampersand) symbol in parameter value

ASM thinks that in a parameter value the "&" and space is the beginning of a new parameter and thus blocks on AMF body context for a command execution signature and does not check the built parameter...

F5_Design_Engineer
Nov 30, 2023
Hi Gumshoe,

BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters.

& is used in a url as a parameter separator and is a reserved keyword or

Recommended Actions

Use url encoding if you want & to be part of the parameter value

The url encoded value for & is %26

eg.

param3=hello%20%26%20world

If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

string1%26string2%3dstring3

If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

string1%26string2%3dstring3

HTH

🙏

F5_Design_Engineer

MVP

Hi Gumshoe,

BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters.

& is used in a url as a parameter separator and is a reserved keyword or

Recommended Actions

Use url encoding if you want & to be part of the parameter value

The url encoded value for & is %26

eg.

param3=hello%20%26%20world

If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

string1%26string2%3dstring3

If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

string1%26string2%3dstring3

HTH

🙏

Gumshoe

Altostratus

Nov 30, 2023

Thank you for the explanation!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

ASM blocked request contains & (ampersand) symbol in parameter value

Recommended Actions

Recommended Actions

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Knowledge sharing: Containers, Kubernetes, Openshift, F5 Container Connector, NGINX Ingress

Scale Multi-Cluster OpenShift Deployments with F5 Container Ingress Services

Deploying F5 NGINX Plus Graviton-powered Containers as AWS ECS Fargate Tasks

Brute Force protection for single parameter like OTP

Distributing Traffic Between Platform Agnostic Container Environments with BIG-IP DNS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS