Forum Discussion

helenio's avatar
helenio
Icon for Nimbostratus rankNimbostratus
Sep 13, 2024

Bypass "Bad unescape" in Body POST (ASM, POST, JSON)

Here the Block.

As you can see is "%" is detected without encoding meaning.

This is normal since the "%" is in the Body of the post as JSON data (see below)

Of course if I disable  the "Bad unescape" in " Learning and Blocking Settings" it works, but my Goal is to bypass using rule on parameter or similar, till now without success.

Does anyone have a solution ?

 

======= JSON on POST Dody Request =======================

 

 

  • Really appreciate the answer, thank you very much ...

    I still have problem to understand how it work, here what I, Created a "URLs : Allowed URLs : Allowed HTTP URLs" for POST request and on Meta Character I Disallowed the "%" .

     

    Now the request is not anymore blocket in term of "Bad unescape" but is allowed, and this is fine, but it looks that Meta Character control that is configure to block "%" (for test purpose) is not working.

     

    Where I'm wrong, I thougth that we where able to control Json Body Characters in this way .. isn't ?

     

     

     

     

    • Hi, 

       

      By disallowing it like that, the request should be blocked if it contains "%" so you need to allow it, if it's false positive 

    • helenio's avatar
      helenio
      Icon for Nimbostratus rankNimbostratus

      Yes my need to permit "%" in bodyis now ok, but ...

      As you can see isn't blocked (server send back answer), even if in Meta Character is selected as "Disallow", I'm expecting a Block page, my doubt is that maybe we have to work with parameters

       

      • Hi, 

        Make sure you enforce the newly created URI with POST method and disallowed %.

        and make sure you enable this: 

        also the policy in blocking mode