Forum Discussion
AltostratusLeading tab in header name: Authorization
I have a violation / suggestion a detection of Leading tab in header named: "Authorization"
When I look at the request, I don't see the "TAB" in the header name. I expect to see something like this:
" Authorization"
But, what I see is header named "Authorization"
I'm wondering whether the meaning here is header context or is there something else I'm missing.
Here is the request and F5 log:
BIG-IP Application Security Manager
Security Events Report
Exported on: 2024-08-11 16:40:22 | Exported by:
Hostname: F5-AWAF | IP Address:
Support ID: 5162895
Request Details
Requested URL [HTTPS] /ag/logout
Time 2024-08-11 15:46:57
Enforcement Action Block
Enforced By Application Security Policy
Violation Rating 1 Request is most likely a false positive
Attack Types Detection Evasion
Geolocation
Source IP Address 9.5.8.6.:53483
Device ID N/A
Username N/A
Session ID ad8a5466e66666b6
Source IP Intelligence N/A
Security Policy /Common/SWAF
Virtual Server /Common/s
Request Status
Blocked
Blocking Exception Reason N/A
Accept Status Not Accepted
Host s.co
Destination IP Address 16.16.16.6:443
Response Status Code N/A
Protocol Info HTTP/1.1
Severity Error
Signatures CVEs N/A
Detected Violations
Attack signature detected [1]
Request
Request actual size: 1337 bytes.
GET /Ag/logout HTTP/1.1
Host: s.co.
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate
sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Pragma: no-cache
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
Authorization: ************************************************************************************************************************************************************************************************
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
If-Modified-Since: 0
Expires: 0
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://s.co/Ag/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,en-US;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.1.6666663693.6666667143; SL_C_23361dd035530_SID={"666666":{"sessionId":"6666-T6666666","visitorId":"666666HGfeRq"}}; _ga_QX6666666=GS1.1.6666661357.0.0; TS014666666
X-Forwarded-For: 6.6.6.6
Response
No response details are available because request was blocked
Violation Details
Attack signature detected [1]
Detected Keyword
**** (sensitive data masked)
Attack Signature ID
200018064
Name
Leading tab in header name
Context Header
Header Name Authorization
Header Value *****
Applied Blocking Settings Block Alarm Learn
Violation Description
Description
The system examines the HTTP message for known attacks by matching it against known attack patterns.
Severity
Error
- Lucas_Thompson
Employee
It may be detected due to this issue:
https://cdn.f5.com/product/bugtracker/ID1003765.html
This sometimes caused base64 information in an authorization header to be incorrectly matched to this signature.
- Emil_T
We are talking about header name here - not header content
su_swanNimbostratus
Following...
i am seeing a similar issue with one of our applications that is not adding a trailing tab or space in the header when redirecting away form the app.
Emil_TrThe rule of the signature is seeking a horizontal tab after the line feed which only happens in the header name. But, this version is affected by ID1003765 which detects the pattern in the base64 value even if it's disabled. The issue is fixed in version 16.1.4:
Bug ID 1003765: Authorization header signature triggered even when explicitly disabled
https://cdn.f5.com/product/bugtracker/ID1003765.html
