For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tomh_185559's avatar
tomh_185559
Icon for Nimbostratus rankNimbostratus
Jun 10, 2015

Cookie RFC compliant? Unusual use case

I'm investigating some interesting security events when implementing ASM rules against a VIP. The ASM logs list an event that the request contains "Cookie not RFC-compliant" due to "Invalid character...
ASM Advanced WAF
security
tomh_185559's avatar
tomh_185559
Icon for Nimbostratus rankNimbostratus
Jun 12, 2015

Thanks Erik, but I think the issue is that there is no consideration by the F5 (or the RFC?) that a backslash is attempting to escape the second double quote. It's likely that the RFC considers all characters as plain text. So, the second double quote effectively 'ends' the value part of the name/value pair. The F5 expects the name/value separator (semi-colon in this case) I believe the event is triggered by this 'missing' separator.

 

I'm guessing that the web server simply passes all of these characters into the web app and it is up to the development team to parse it properly. I know this is not the best practice, but might be looking for a temporary workaround.

 

Thanks again.