Forum Discussion

raischk_224259's avatar
raischk_224259
Icon for Nimbostratus rankNimbostratus
Jun 10, 2016

Manual Traffic Learning -> Malformed JSON Data: How to handle this?

Hi,

 

i created an ASM policy in blocking mode with a json profile. Sometimes I have a few illegal requests in Security > Event Logs > Application > Requests with "Malformed JSON Data" violation. As attack type it is identified as "JSON Parser Attack" and in the violation details the description is "Malformed document - Illegal encoding sequence". How can I see what's the exact problem on this violation? And how can I handle this problem?

 

If I navigate to Application Security > Policy Building > Manuel Traffic Learning > Malformed JSON Data I don't understand this view. Which settings can be changed with option "Request body handling" and "Enable Staging" and what an effect does this have? I can't find a documentation or something like an explanation about this area and hope for more information from DevCentral.

 

If you need further information please ask.

 

  • Hello raischk, it may not be available for all violations but normally you can access violating payload in the event logs by : cliking on the violation name in the request event, it opens violation details then click in view details. this shows you for example when a signature match the payload concerned.

     

    now for that type of encoding problem, not sure we can report precisely on it.

     

    the policy building menue you quote is giving you the opportunity to deactivate this violation to let the traffic pass as it seems to be a false positive for you.

     

  • Hello Arnaud Lemaire,

     

    thanks for your answers and sorry for my questions. I am new in ASM and not realy familiarized with it.

     

    Maybe this screenshot helps for a precisely report about my problem. In HTTP Request > General Details there is an "JSON Parser Attack" detected. All malformed json data violations are truncated. Maybe this relates to each other?

     

    In this quoted menue I have the opportunity to deactivate this violation to let the traffic pass. I think this is the accept button next to the different URLs, isn't it? I don't understand the option in column "request body handling". What an effect does this have if I change the setting to "form data", "apply value and content signatures" or "apply Content signatures"?

     

    Thanks for your answer.