Forum Discussion
Define allowed character in ASM for JSON parameter
I'm intercepting a POST with JSON parameter and I want to check the content but I'm not able to see where to define allowed character, length and type of each parameter
I defined my parameters as JSON value
If I post following request, it's working
<code>
{
"data": {
"type": "enrollment",
"attributes": {
"fire": "t",
"app": "t",
"installation": "t",
"credential": "t",
"phoneNumber": "1"
}
}
}
</code>
This one is also working
<code>
{
"data": {
"type": "enrollment",
"attributes": {
"fire": "f",
"app": "f",
"installation": "f",
"credential": "f",
"phoneNumber": "1"
}
}
}
</code>
But If I post following content, it's blocked with error message that I have "illegal character" (It's the same character as above but I have two character in the value instead of one)
<code>
{
"data": {
"type": "enrollment",
"attributes": {
"fire": "tf",
"app": "tf",
"installation": "tf",
"credential": "tf",
"phoneNumber": "2"
}
}
}
</code>
So where can I define the length and type of each JSNO value ?
Are you sure those are JSON values and not user-input values?
Do you have an OpenAPI Spec file to verify?
Since you are running on 15.1.2.1, as stated - if you have a OpenAPI Spec file can you create a policy "REST API Security (Open API Spec) " with the Guided Configuration?
KR
Daniel
Hi ,
the example which is blocked looks like valid JSON. Maybe check yourJSON Profile here:
Security ›› Application Security : Content Profiles : JSON Profiles
As a reference, check the Manual Chapter : Adding JSON Support to an Existing Security Policy.
KR
Daniel
- PhilippeGNimbostratus
Hi
Thanks for the reply. I already had a look to this page and I also checked "character set" in "application security - Content profiles - Character sets - JSON content" and in "application security - Parameters - Character sets - Parameter Value/Name".
What I don't understand is why it's accepted when the character is in first position in the value but not when he is in second position (or more)
KR
Philippe
Sorry, maybe I was on the wrong track.
Does this violation occur with any combination of more than one character in the value?
Or only when the f is in second position?
Or on any character in the second position?
EDIT: Did you change the Default JSON profile?
Are you sure those are JSON values and not user-input values?
Do you have an OpenAPI Spec file to verify?
Since you are running on 15.1.2.1, as stated - if you have a OpenAPI Spec file can you create a policy "REST API Security (Open API Spec) " with the Guided Configuration?
KR
Daniel
- CarinePEmployee
Hi Daniel, Philippe is testing in v15.1.2.1
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com