For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

svs's avatar
svs
Icon for Cirrostratus rankCirrostratus
Dec 21, 2016

ASM: Change the POST data parameter delimiter

Hi Folks,

 

currently I'm trying to create a security policy for the famous open source ticketsystem OTRS. Due to the behavior of OTRS I'm stuck with parameter handling. If an agent is sending a response to the customer, the POST request is send in a format like this:

 

POST /otrs/index.pl? HTTP/1.1
Host: otrs.example.com
[...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 
[...]

TicketID=12345;[...]Subject=;Body=

instead of

 

POST /otrs/index.pl? HTTP/1.1
Host: otrs.example.com
[...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 
[...]

TicketID=12345&[...]Subject=&Body=

So as the delimiter used to separate single parameters is a semicolon, instead of ampersand, the ASM does not recognize all single parameters. The only parameter seen is the first one listed (here: "TicketID"). Only when a content type of "multipart/form-data" is used, the ASM can identify all the parameters. Typically I'm disabling violations, i.e. Attack Signatures, based on a tupel of parameter/URL. But as the ASM cannot identify the single parameters in the request the only chance is to disable a violation globally or for the first parameter listed (in the example above "TicketID"). This doesn't make sense for the policy, because it's very usual that there is content sent in emails, which will trigger Attack Signature Violations, for example SQL Code, HTML/Javascript or Linux Bash commands. Therefore it makes sense to disable those Attack Signatures only on single parameters, like "Body".

 

Has anybody an idea how to handle this? Is there a chance to make ASM also use a semicolon as a parameter delimiter in POST requests? It would be necessary to let the ASM check for ampersand and semicolon, as not all POST requests are sent with a semicolon.

 

I thought about an iRule, which would replace all semicolons in a POST request body on the client side to ampersands, if several conditions are matching (especially "[HTTP::header Content-Type] starts_with 'application/x-www-form-urlencoded'"), and then, on the server side, replace them back to semicolons. But I fear that this may be very resource intensive.

 

I appreciate any ideas to resolve this issue.

 

Thanks in advance.

 

Greets, svs

 

ASM Advanced WAF
security

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Dec 21, 2016

    svs,

     

    According to this solution you're out of luck. I checked Advanced Configuration too and no joy. This solution doesn't have v12 listed as "Applies to" so i wonder if this behaviour has changed in v12, else the solution hasn't been updated.

     

    If not then i'd probably raise a case with F5 or an RFE. Others may have requested this so the more visibility the better.

     

    N

     

  • MaCrek's avatar
    MaCrek
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2019

    Hi,

     

    Did you found the solution how to achieve this ? After 3 years, I have same issue. Maybe in current versions should be any option, to change x-www-form-urlencoded params delimiter.

     

    thanks