Hi  JustJozef  , 

you can modify the Sensitive Data Configuration of the JSON profile and remove the sensitive data elements. To do so, perform the following procedure:

Impact of workaround: The BIG-IP ASM security policy will no longer mask sensitive data elements.

1. Log in to the Configuration utility.
2. Navigate to Security > Application Security > Content Profiles > JSON Profiles.
3. Set Current edited security policy to the name of the affected security policy.
4. Click the profile name of the affected JSON profile.
5. To remove sensitive JSON data masking, click the Sensitive Data Configuration tab.
6. In the Namespace section, select the box to the left of each element.
7. Click Delete.
8. Click Update.
9. Click Apply Policy.

   Could you check all the elements available for this JSON profile and share the screenshot.

   Please check if the password keyword is correct or do you need to use pwd as i am trying to share one example

    

   {"app":"MyMoABC","srv":"MyMoAuthen","op":"login","header":{"pwd":"111111","user":"2222222222222"}}} 

    

   Please refer this document:

   K52154401: Masking data in the BIG-IP ASM request log

   https://my.f5.com/manage/s/article/K52154401

   Topic

   You should consider using these procedures under the following conditions:

   • You want to mask sensitive data in the BIG-IP ASM request log so that the data cannot be viewed by the administrator.
   • You want to mask HTTP header or cookie data (BIG-IP ASM 14.0.0 or later only).

     Description

     By default, the BIG-IP ASM system logs information about incoming requests to the request log in plain text. In some cases you may want to mask request information in the logs as some requests include sensitive information, such as authorization credentials or credit card information. When you enable Mask Value in Logs for a policy element, the system replaces the sensitive data with asterisks (***). The masked data cannot be viewed by the administrator.

     You can mask data in the logs for the following policy elements.

     Data to mask	Description	Example	Parameters	Masks the parameter value, including the value for positional parameters. The setting does not mask the parameter name.	GET /profiles/****	HTTP headers	Masks the header value. The setting does not mask the header name.	GET / HTTP/1.1 Host: Example.com Connection: Keep-alive Authorization: ****** Cookie: TS-Cookie
     Cookies	Masks the values for allowed and enforced cookies types. The setting does not mask the cookie name and does not apply to BIG-IP ASM cookies.	GET / HTTP/1.1 Host: Example.com Connection: Keep-alive Cookie: ******
     JSON Profiles	Masks elements within the JSON data whose values are should considered sensitive.	secID: ******	XML Profiles	Masks sensitive data in an XML document. You can specify the element or attribute whose value contains sensitive data and should be masked by the policy.	<secID>******</secID> Note: When a BIG-IP ASM policy is set to use Case Sensitive, the created parameters must match the case of the parameter presented by the client. This may require creating multiple parameters to cover variants of the Parameter (for example: password/Password/PASSWORD). Prerequisites You must meet the following prerequisites to use these procedures: You have access to the Configuration utility. You have identified the sensitive content to be masked. Procedures Masking request log data for a parameter Masking request log data for HTTP headers Masking request log data for cookies Masking request log data for JSON profiles Masking request log data for XML profiles Masking request log data for a parameter Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the Configuration utility. Go to Security > Application Security > Parameters > Parameters List. Select the name of an existing parameter or select Create to create a new parameter. For Mask Value in Logs, select the Enabled check box. Note: In versions prior to BIG-IP ASM 14.0.0, for Sensitive Parameter, select the Enabled check box. Select Update. Select Apply Policy. Masking request log data for HTTP headers Impact of procedure: Performing the following procedure should not have a negative impact on your system. 17.0.0 and later Log in to the Configuration utility. Go to Security > Application Security > Security Policies > Policies List > policy_name > HTTP Message Protection > Headers. Select the name of the HTTP header or select Add Header. For Mask Value in Logs, select Enabled. Select Update. Select Save. Select Apply Policy. 14.x - 16.x Log in to the Configuration utility. Go to Security > Application Security > Headers > HTTP Headers. Select the name of the HTTP header or click Create to create a new HTTP header. For Mask Value in Logs, select the Enabled check box. Select Update. Select Apply Policy. Masking request log data for cookies Impact of procedure: Performing the following procedure should not have a negative impact on your system. 17.0.0 and later Log in to the Configuration utility. Go to Security > Application Security > Security Policies > Policies List > policy_name > HTTP Message Protection > Cookies. Select the name of the Cookie or select Create. For Mask Value in Logs, select Enabled. Select Update. Select Save. Select Apply Policy. 14.x - 16.x Log in to the Configuration utility. Go to Security > Application Security > Headers > Cookie List. Under Cookies, select the Enforced Cookies tab or Allowed Cookies tab. Select the name of the cookie or click Create to create a new cookie. For the Mask Value in Logs, select the Enabled check box. Select Update. Select Apply Policy. Masking request log data for JSON profiles You can use Mask Value in Logs for the JSON profile only when Parse Parameters is disabled for the profile. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the Configuration utility. Go to Security > Application Security > Content Profiles > JSON Profiles. Select the name of the JSON profile. Select the Value Masking tab. Note: In versions prior to BIG-IP ASM 14.0.0, select the Sensitive Data Configuration tab. Note: The Value Masking tab is available when the Parse Parameters option is not selected in the profile. For Element Name, enter the name of the element within the JSON data for which the values are considered sensitive. Select Add to add the JSON data to the list. Select Update. Select Apply Policy. Masking request log data for XML profiles Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the Configuration utility. Go to Security > Application Security > Content Profiles > XML Profiles. Select the name of the XML profile. Select the Value Masking tab. Note: In versions prior to BIG-IP ASM 14.0.0, select the Sensitive Data Configuration tab. For Namespace, select the appropriate option. For Name, select the appropriate option. Enter the name of the attribute or element within the XML data for which the values are considered sensitive. Select Add. Select Update. Select Apply Policy. Best Regards F5 Desing Engineer

Best Regards

F5 Design Engineer