For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

George_33482's avatar
George_33482
Icon for Nimbostratus rankNimbostratus
Apr 15, 2013

Meta Characters

Hi ,   I have ASM 11.2.1 that starts blocking web pages due to meta character violation in the password parameters (during authentication), I allowed some meta characters for the users to be able ...
app sec
BIG-IP Access Policy Manager (APM)
security
Torti's avatar
Torti
Icon for Cirrus rankCirrus
Apr 16, 2013
Hi,

 

 

By default nearly every meta character is disallowed for use as parameter value.

 

In my opinion, this is a little bit to much of security for the most of the web applications. This is only necessary, if you need a lot of security for your application.

 

It would be necessary to validate every parameter value, the user entered in the web application, befor the request is send to the server. i.e. by javascript or a special webpage.

 

If you don't do that, I recommend to allow the most of the meta characters for parameter values.

 

 

1. If you have troubles only with one parameter value (password), you can do this only for the single parameter value.

 

2. You can allow the meta character for all parameter values, too. It saves a lot of time in configuration or policy learning.

 

i.e. you are not so strong to the user and he is allowed to type in a wrong value, because of a misstake.

 

 

I recommend the secound option. In my opinion, this is no security risk.

 

 

You can learn the meta characters by policy builder.

 

Especially, the parameter password produce a lot of violations, if you dont accept meta characters. A strong password should contain some of that inside. If the user use a password generator, there can be a lot of them inside.

 

 

regards