Forum Discussion
Disabling ASM attack signature for file upload
Hello,
We have an application where customers may attach files when they submit an enrollment. Sometimes the upload of these files are being blocked by our ASM policy because they are similar to a regex expression. Our IPS team who manages the ASM tried to create an allow URL and add the parameter for the file upload but said this wasn't working because at this level you can only block parameter level attack signatures. The signatures we're trying to block isn't a parameter level attack signatures. Any suggestions?
Hi SteveD1979,
The request body handling control can be disable by checking on the content-type or a different specific header value.
"Content-type: multipart/form-data" header is sent on file upload. It may has a different value based on the application.
- SteveD1979Cirrostratus
Thanks for your reply. Does the 'Do nothing" option allow the customer to upload the file but keep the security policy in place for the URL? Or would we want to do the form data or another option?
- afr_jnAltocumulus
If the Content-Type matches to multipart/form-data (or: spesific file upload) for spesific URL, the body handling will do nothing. If the Content-Type does not mathes to multipart/form-data, such as Content-Type: text/html; charset=UTF-8, the body handling will apply value and content signatures.
- SteveD1979Cirrostratus
The filename can only be two different things. Is there a way to look at the payload and if it contains one of those file names allow the upload and keep the ASM policy in tact?
can you share the ASM violation that matches with the upload requests?
- SteveD1979Cirrostratus
The violation is attack signature detected Generic buffer overflow attempt 27 signature ID 200011026
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com