Forum Discussion

PhilippeG's avatar
PhilippeG
Icon for Nimbostratus rankNimbostratus
Oct 25, 2021

Define allowed character in ASM for JSON parameter

I'm intercepting a POST with JSON parameter and I want to check the content but I'm not able to see where to define allowed character, length and type of each parameter I defined my parameters as J...
ASM Advanced WAF
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Nov 03, 2021

    Are you sure those are JSON values and not user-input values?

    Do you have an OpenAPI Spec file to verify?

     

    Since you are running on 15.1.2.1, as  stated - if you have a OpenAPI Spec file can you create a policy "REST API Security (Open API Spec) " with the Guided Configuration?

     

    KR

    Daniel

PhilippeG's avatar
PhilippeG
Icon for Nimbostratus rankNimbostratus

Hi  

Thanks for the reply. I already had a look to this page and I also checked "character set" in "application security - Content profiles - Character sets - JSON content" and in "application security - Parameters - Character sets - Parameter Value/Name".

What I don't understand is why it's accepted when the character is in first position in the value but not when he is in second position (or more)

KR

Philippe

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Nov 01, 2021

Sorry, maybe I was on the wrong track.

Does this violation occur with any combination of more than one character in the value?

Or only when the f is in second position?

Or on any character in the second position?

 

EDIT: Did you change the Default JSON profile?

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Nov 03, 2021

    Are you sure those are JSON values and not user-input values?

    Do you have an OpenAPI Spec file to verify?

     

    Since you are running on 15.1.2.1, as  stated - if you have a OpenAPI Spec file can you create a policy "REST API Security (Open API Spec) " with the Guided Configuration?

     

    KR

    Daniel

  • PhilippeG's avatar
    PhilippeG
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2021

    It's depend the character, when I'm sending "ft" or "tf", it's occur on second character.

    If I'm sending "a" it's occur on first parameter.

    And what is strang is that violation occur only on parameters "fire" and "installation" even if my four parameters (fire, installation, app and credential) have the same value.

     

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Nov 03, 2021

    Hi ,

     

    I managed to reproduce your issue, but could not find a solution yet.

    Which version are you on?

     

    KR

    Daniel 

  • PhilippeG's avatar
    PhilippeG
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2021

    For me those are JSON values as if I define parameters as "user input" nothing is catched (also disallowed character).

    I asked developper to forward me OpenAPI spec file but currently I didn't receive any answer. I hope to have something next week

    KR

    Philippe

  • PhilippeG's avatar
    PhilippeG
    Icon for Nimbostratus rankNimbostratus
    Nov 11, 2021

      I received a spec file from customer and created a new policy with the guided config. Parameters are correctly seen and secured

    At the end you were right, parameters are recognized as "user input value". I will now check both policies to understand what was wrong in the first one