ASM disallowed url %

Question

All,&nbsp;Running into an issue with disallowed url on ASM. We needed to block the ecp in owa like so https://owa.host.com/ecp, this works as expected just by adding /ecp in the disallowed list. If you use trustwave or another filter that changes the url to the below example, you bypass the /ecp block,&nbsp;https://owa.host.com/owa/auth/logon.aspx?replaceCurrent=1&amp;url=https%3a%2f%2fowa.host.com%2fecp%2f&nbsp;I need to be able to block this request as well but unable to figure out how to have ASM detect the %2fecp%2f. &nbsp;Any thoughts?

drj · Answer

Have you verified that the evasion techniques are set correctly? I'm not able to check at the moment, but this may also depend on your parameter settings/require an explicit parameter check?

https://support.f5.com/csp/article/K7929

ivan_chernenkii · Answer

Is request logged with /ecp URL in second case?

As I see, in second case you send /ecp URL in query string parameter, that is why disallowed URL doesn't have affect on it.

To block all requests with /ecp in URL or in query string you can create attack signature like uricontent:"/ecp"; nocase;

dave_pisarek · Answer

I just created a customer signature for the specific ecp pattern.

Forum Discussion

ASM disallowed url %

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

Related Content

How to create allowed/ disallowed URL in F5 XC

ASM - Adding Allowed URL's via CLI in 2023

URL Shortener

File Uploads and ASM

ASM/WAF Management Automation - TMOS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS