Cookie not RFC-compliant with Asp.net flows

Question

Hi,&nbsp;
&nbsp;I have some strange blocked requests because of "Cookie not RFC-compliant".&nbsp;
&nbsp;Examples :
&nbsp;Invalid carriage return, Invalid equal sign preceding cookie name, Invalid space in cookie name&nbsp;
&nbsp;Its occurs when a netsurfer is on an Asp.Net site wich then POST a request to our "J2EE" Asm-ed website (with JSESSION_ID)&nbsp;
&nbsp;Each request, bring some fields "__EVENTTARGET, __EVENTARGUMENT and __VIEWSTATE" which containes many hexa caracters which could brinf some carriege returns,...&nbsp;
&nbsp;I don't know why, but the ASM indicate that my J2EE cookie are not RFC Compliant with errors shown before, even if they seems to be good :&nbsp;
&nbsp;Examples :
&nbsp;Cookie: JSESSIONID=9A94EF6C61A619C0523F677C90B7686A.tpsips01v-ubzprd-sips_payment_bnp-1; TS33fc98=588fae4afe8d5d0cf89a37a5658796c6a7fb8c370296a6a24c287da760ac0ec577b9df1c
&nbsp;Cookie: JSESSIONID=17FBA3FBEC808CE7DD0ADEC8B13B3409.tpsips01v-ubzprd-sips_payment_bnp-1; TS33fc98=3d929ae670ed124cbc683f7224d80b1545afbc290d4c52da4c286a7660ac0ec58f3e6bfa&nbsp;
&nbsp;and the errors are :&nbsp;
&nbsp;Invalid carriage return
&nbsp;prod/callpayment0xd0xaCookie:0x20JSESSI&nbsp;
&nbsp;Invalid space in cookie name
&nbsp;ie:0x20JSESSIONID=6EED3031E7ED195FD&nbsp;&nbsp;
&nbsp;Question 1 : Is it a buffer overflow due to Asp.net long fields wich make false-positive on my cookies ?&nbsp;
&nbsp;Question 2 : If yes, how to prevent RFC cookie non compliant rules without "live" delete any Asp.net fields ?&nbsp;
&nbsp;Question 3 : If no, what is the problem and how must I do....?&nbsp;
&nbsp;Thanks in advance,
&nbsp;Rodolphe (fr)&nbsp;&nbsp;

rodolphe_aubine · Answer

If needed I can show some blocked request "by truncated" by ASM report tool.
&nbsp;Ask me if needed.&nbsp;

hoolio · Answer

Hi Rodolphe, 
&nbsp;  
&nbsp; There is a bug with cookie parsing in ASM in several versions: 
&nbsp;  
&nbsp;  SOL10764: Large POST requests may trigger BIG-IP ASM cookie violations   
&nbsp; https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10764.html 
&nbsp;  
&nbsp; However, it looks like snippet you've posted is being parsed incorrectly by ASM.  This "prod/callpayment0xd0xaCookie:0x20JSESSI" looks like a prior header value, a carriage return and line feed and then the start of the cookie header. 
&nbsp;  
&nbsp; Can you post an anoymized copy of the full request? 
&nbsp;  
&nbsp; Thanks, Aaron

hoolio · Answer

Thanks for that.  Can you also post the exact violations for this request?   
&nbsp;  
&nbsp; Aaron

rodolphe_aubine · Answer

&nbsp;ie:0x20JSESSIONID=6EED3031E7ED195FD Invalid space in cookie name&nbsp;

hoolio · Answer

I'd guess this is a bug described in SOL10764 as I don't see any invalid characters in the cookie name or value.  Are you running a version affected by this bug (10.1.0, 10.0.1, 10.0.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5, 9.4.4)? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Cookie not RFC-compliant with Asp.net flows

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Cookie not RFC-compliant - Cookie has no value

Cookie-based DDoS protection

2. SYN Cookie: Operation

Cookie not RFC-compliant - RFC VIOLATIONS

1. SYN Cookie: Intro

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS