Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

AHMADAD's avatar
AHMADAD
Icon for Altostratus rankAltostratus
Feb 22, 2022

Block specific parameter value

Hello All,  I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below. BLOCK : https://hostname/index.html?para1=https://exampl...
security
waf
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Feb 25, 2022

Hi AHMADAD

you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:

ALLOW: https://hostname/index.html?para1=name1.html

Or do you consider this a page and pages are allowed?

Could you explain what you are trying to protect or prevent with this?  Are you trying to protect yourself from CSRF? There is a solution for this: K11930: Overview of the BIG-IP ASM CSRF protection feature

However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.

KR
Daniel

AHMADAD's avatar
AHMADAD
Icon for Altostratus rankAltostratus
Mar 07, 2022

Hi Daniel, 

Thank you for your response.

Exactly, i considered this a page and its allowed but i don't want users to insert sites in parameter values, i 100% agree with you that this is something should be resolved at application side but was trying to help in my end as workaround 😉 

Thanks for sharing the CSRF link, we don't want to apply this solution as we have not tested it for this specific application and it may has negative side effects