Forum Discussion

SteveD1979's avatar
SteveD1979
Icon for Cirrostratus rankCirrostratus
Jan 16, 2024

Disabling ASM attack signature for file upload

Hello,

We have an application where customers may attach files when they submit an enrollment.  Sometimes the upload of these files are being blocked by our ASM policy because they are similar to a regex expression.  Our IPS team who manages the ASM tried to create an allow URL and add the parameter for the file upload but said this wasn't working because at this level you can only block parameter level attack signatures.  The signatures we're trying to block isn't a parameter level attack signatures.  Any suggestions?

  • Hi SteveD1979,

    The request body handling control can be disable by checking on the content-type or a different specific header value.

    "Content-type: multipart/form-data" header is sent on file upload. It may has a different value based on the application.

    • SteveD1979's avatar
      SteveD1979
      Icon for Cirrostratus rankCirrostratus

      Thanks for your reply.  Does the 'Do nothing" option allow the customer to upload the file but keep the security policy in place for the URL?  Or would we want to do the form data or another option?

      • afr_jn's avatar
        afr_jn
        Icon for Altocumulus rankAltocumulus

        If the Content-Type matches to multipart/form-data (or: spesific file upload) for spesific URL, the body handling will do nothing. If the Content-Type does not mathes to multipart/form-data, such as Content-Type: text/html; charset=UTF-8, the body handling will apply value and content signatures.

    • SteveD1979's avatar
      SteveD1979
      Icon for Cirrostratus rankCirrostratus

      The filename can only be two different things.  Is there a way to look at the payload and if it contains one of those file names allow the upload and keep the ASM policy in tact?

    • SteveD1979's avatar
      SteveD1979
      Icon for Cirrostratus rankCirrostratus

      The violation is attack signature detected Generic buffer overflow attempt 27 signature ID 200011026