Forum Discussion

mbo1000_265533's avatar
mbo1000_265533
Icon for Nimbostratus rankNimbostratus
May 24, 2016

F5 ASM - Parameter value contains a sequence of characters ... & ... = ...

Dear All,

 

Normal way to send sequence of parameters and their values in HTTP POST request, is to put delimiter & between previous parameter value and next parameter name.

 

We have an application which is going to accept any sequence of characters for one parameter. Fortunately, that parameter is sent as the last in sequence (other parameters are always put before). That means when value of that last one parameter contains something like: string1&string2=string3, ASM sees string2 as Illegal parameter name.

 

Is there any way to configure ASM to really ignore that parameter value and do not look for other parameters when parsing POST request body? I understand that it is like nesting other parameters inside value of that parameter, but we have no possibility to change that application specification - it is widely used between companies in the world.

 

Regards,

 

MBo

 

ASM Advanced WAF
security

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    May 25, 2016
    mbo1000, what happens if you create an explicit Parameter in the policy called string2 (if you haven't already of course)?
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 25, 2016

    How is encoded the parameter?

     

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3