Forum Discussion
CirrostratusLegitimate Traffic is Blocked at ASM Policy
Certain good traffic is blocked at ASM Policy. From the event Log i see as HTTP protocol compliance failed , due to HTTP Validation tagged with " Null in request" .
HTTP POST shows %00 ( Bold Below ) about which it is mentioned here in this KB https://support.f5.com/csp/article/K7931.
f=json&checksum=%EF%BF%BD%1D%EF%BF%BD%D9%8F%00%EF%BF%BD%04%EF%BF%BD%09%EF%BF%BD%EF%BF%BD%EF%BF%BDB%7E&parts=1
In K7931 it shows 3 ways how to prevent this but can some one help out of 3 ways which one I should use and why to prevent this Null in Request message ?
Attached Event Log message.
9 Replies
gersbahSetting the parameter type "File Upload" limits the range of checks that are performed on the parameter value. The primary usage is obviously file uploads, because for example a PDF file or Excel sheet is pretty much a binary blob with some text sprinkled in between and applying meta character checks to see if it includes a quote, a dollar sign, a null byte or some nonprintable character somewhere doesn't make a lot of sense.
In version 14 (maybe also 13?) you can select to still check attack signatures on File Upload parameters - which for real file uploads may not be very useful, but for your scenario should be a good idea. (note: never tested if this actually works)
Setting the checksum parameter to file upload will open you up to some risk of attacks specifically on that parameter, because checks on the parameter will be limited.
If you find this more concerning than globally allowing null bytes, then disabling the "null in request" violation would be the way to go.
There may be another option that is not mentioned in the KB: An iRule to selectively unblock the request if this violation occurs specifically on that parameter. But that would require some engineering and I don't know if it even actually works.
SubrunCan you explain little bit more on this
"If you find this more concerning than globally allowing null bytes, then disabling the "null in request" violation would be the way to go."
- Subrun
Thanks as of now for your reply. I am still trying to dig into it.
I am trying to understand refer to this K7931 and when we see "Null in Request" in our Event Log does this fall into below 2 criteria ?
Configuring the parameter with the NULL to use User-input value as the Parameter Value Type
Configuring the parameter with the NULL to use Ignore value as the Parameter Value Type
- Subrun
I see that for "File Upload" Option there is no Attack Signature Option I can select. Images attached.
- gersbah
This is a feature of version 14 and later. See https://support.f5.com/csp/article/K79544554
"Note: Prior to BIG-IP ASM 14.0.0, you can configure attack signatures for parameters of Alpha-Numeric data type. Starting in BIG-IP ASM 14.0.0, you can configure attack signatures for parameters of File Upload data type, in addition to parameters of Alpha-Numeric data type."
- gersbah
Why: https://www.owasp.org/index.php/Embedding_Null_Code
How: Unless this is a very common occurence in your application in many different places, I would limit the exception to where it's actually needed. So that would be option 1 from the KB you linked. Create the parameter "checksum" and set it to type "File Upload".
- Subrun
Appreciate your help..
I am just trying to understand how we will prevent null in request Blocking while setting parameter "checksum" and set it to type "File Upload". I mean i am looking for a more technical explanation for this.
Also another concern is by doing this ( with option 1 ) is that a risk I am accepting for SQL Injection type of attack ?
