bad unescape false positive

Question

Hi, 
the ASM catch false positive attack "bad unescape" for such parameter, 
we need to bypass this signature at specific parameters and URL, not all security policy.&nbsp;
and what the consequences if we disabled it at the whole security policy? &nbsp;

samstep · Answer

"good unescape" is URL encoding - when ASCII string is present in the format %00 - %FF  - each byte is replaced with % followed its hexadecimal value (see https://en.wikipedia.org/wiki/Percent-encoding)&nbsp;
"bad unescape" is a string which uses percent sign followed by two characters which are NOT 0-9 A-F. For example:  %2R &nbsp;
This is usually a sign of potential evasion of filters and cross-site-scripting attack attempts, however can also be a false positive, for example: someone's password could be "100%secure" , so "%se" in that password can be detected as "bad unescape".&nbsp;
The best practice of course is to loosen the policy just on the URLs/fields where you are seeing false positives (which you are already doing). If you decide to disable blocking of this violation policy-wide I would still advise to keep the "Alert" flag on.&nbsp;
Hope this helps,
Sam&nbsp;

Forum Discussion

bad unescape false positive

1 Reply

ICYMI - Steve Wozniak at AppWorld 2026

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

LB Connection Limit Detection Method

Connections appear not to use Persistence

access by browser can not be reach after add bot defense profile

iApps with load ucs Platform-migrate on newer hardware

Partially reachabilty issues with VS in F5OS tenant

Related Content

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

Separating False Positives from Legitimate Violations

Handle False Positive for files upload

CMS causing False Positives

Attack Signature False Positive Mode

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS