ASM signature 200011026 different behaviour from 11.5.x to 12.x

Question

Hello,&nbsp;
A POST request (multipart/form-data) with png file inside is being blocked by ASM version 11.5.4
The request is having the Content-Type header badly crafted inside the body part, and then ASM is parsing the multipart body in a very bad way.&nbsp;
I am trying to understand why in a v12 version of ASM, the exactly same request is not triggering this signature 200011026 (All signatures sets loaded in the policy).&nbsp;
The signature is part of the Generic Set, the one you have without doing anything more when creating the policy, but i still have added all sets.&nbsp;
Thanks for any advise of experience sharing&nbsp;

rob_carr_76748 · Answer

If you think that either a) this signature has been redefined in a way that means it is missing malicious content or b) the signature is not being processed correctly, this probably merits a support call.

Signatures can change from version to version, usually in order to make the signature more accurate.

rob_carr · Answer

If you think that either a) this signature has been redefined in a way that means it is missing malicious content or b) the signature is not being processed correctly, this probably merits a support call.

Signatures can change from version to version, usually in order to make the signature more accurate.

aurel · Answer

Hi,
Indeed the code is not the same, probably more accurate matching less content and avoiding more false positive, or being covered by another signature.&nbsp;
I finally get a match after many tests, but on a different part on the request.&nbsp;

rob_carr_76748 · Answer

That can happen sometimes, where a violation detected on a request will 'shadow' (my term) a violation that occurs later in the request. It's more common in older versions, i.e. in my recent experience ASM does better catching all violations in a request, not just stopping at the first significant issue.

rob_carr · Answer

That can happen sometimes, where a violation detected on a request will 'shadow' (my term) a violation that occurs later in the request. It's more common in older versions, i.e. in my recent experience ASM does better catching all violations in a request, not just stopping at the first significant issue.

Forum Discussion

ASM signature 200011026 different behaviour from 11.5.x to 12.x

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

BoT Defense Profile, Signature Enforcement

Wildcard Parameter signature attack

Live Update- ASM attack signatures

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS