ASM blocked request contains & (ampersand) symbol in parameter value
ASM thinks that in a parameter value the "&" and space is the beginning of a new parameter and thus blocks on AMF body context for a command execution signature and does not check the built parameter.
Should it be recommended to the developers that they encode their "&" throughout their request to not confuse the ASM or just have them not use that charater in their input fields?
example: &BuiltParameter=Chocolate&0x20MSG0x20
Hi Gumshoe,
BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters
A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.
The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters.& is used in a url as a parameter separator and is a reserved keyword or
Recommended Actions
Use url encoding if you want & to be part of the parameter value
The url encoded value for & is %26
eg.
param3=hello%20%26%20world
If characters & and = are part of the parameter value, it must be encoded to %26 and %3d
string1%26string2%3dstring3
If characters & and = are part of the parameter value, it must be encoded to %26 and %3d
string1%26string2%3dstring3
HTH
š
ā