Forum Discussion

ryan_hamdi's avatar
ryan_hamdi
Icon for Nimbostratus rankNimbostratus
Sep 06, 2024

False Positive Bad Unescape BIG-IP ASM

I am encountering an issue where user input containing a percentage sign (%) causes the WAF to block the request with the error message "Bad Unescape".
 
How can I resolve this issue while ignoring the mismatch between the Content-Type header and the body payload?
 

 


Here is an example of the HTTP request:

 

 

POST /register HTTP/1.1

Host: test.com

Content-Type: application/x-www-form-urlencoded

Cookie: TS01xx

User-Agent: xx

Connection: keep-alive

Accept: application/json

Accept-Language: id-ID,id;q

Content-Length: x

Accept-Encoding: gzip, deflate, br

 

{"name":"NameMe","email":"test@gmail.com","username":"test","password":"Password1%"}

 

  • Hi Ryan, 

    while this is a negative security violation i.e ( User Unescape ) , you can use policy microservice which enables you to allow [Evasion Technique / HTTP compliance ] False positives under specific resource such as URI. 

    First ask the server owner >>> if this an expected to receive % from the clients and this is the nature of the application, if so I have simulated it in a demo for you , try it. 

    This violation will be only disabled under /register path whereas it will be triggered for any other resources under test.com.

    Check that and let me know ...

  • As I recall, there is a way to configure F5 to interpret a request as JSON, allowing the password to be passed as a parameter. Of course, you can permit any characters you want in the parameter.
    To achieve this, I believe you can create a URL like /register, then specify the content type for that URL (e.g., XML, JSON, etc.).
    Hope that helps! :)