For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

helenio's avatar
helenio
Icon for Nimbostratus rankNimbostratus
Mar 07, 2017

I spossible to bypass from a cookie a RFC Violations (High ASCII characters in headers)

I have a GET request that contain a Cookie with ASCII character with code greater that 127 and therefore is blocked by the RFC Violations (High ASCII characters in headers). This check is done on the HTTP header. Is it possible to avoid this check only on Cookie parameter ?

 

application delivery
ASM Advanced WAF
iRules

2 Replies

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Mar 28, 2017

    Cookie header is still a header and should be ASCII characters only in accordance with RFC2616. There is no way to change this behavior in ASM unless you disable the blocking for this rule (which is obviously not secure and should be avoided!)

     

    If your application is sending a high-ASCII character in cookies it is breaking the standard. Even if your back-end web server can interpret high-ASCII characters it does not mean that the application should be sending them. High ASCII-Characters should be Encoded.

     

    Talk to your application developers (if they are available) and ask them to change this and encode the cookie. If it is not possible then the suggested workaround is to write an iRule which will create an exception and allow the request for a particular URI (for example) while still blocking the rest of bad traffic.

     

  • MSZ's avatar
    MSZ
    Icon for Nimbostratus rankNimbostratus
    May 27, 2019

    Hi

    Did you use the v14.1.1 ?

    It has the option microservice?