Forum Discussion
Mike_Maher
Nimbostratus
NimbostratusMultiple Decodings
I have an application that is showing a lot of violations for Multiple Decoding. From I am seeing it looks like I can increase the value to 2 to 3, and that should help my problem but not necessarily increase my risk. My understanding is that ASM will still decode the content as many times as necessary to get to the ASCII value and protection will still be provided at that level. I wanted to get some other opinions though how does everyone else manage this setting, do you turn it on at all?
hoolioCirrostratus
Is the value triggering the violation encoded more than two times? I've seen one or two bugs with this functionality in 9.4.x.
In general, I think ASM decodes the exact number of times configured. If there are still percent encoded values a violation is triggered. I don't think there is any significant performance hit if you set it for 3 decodings and the clients only send double encoded values. I'd expect ASM wouldn't decode the parameters if there wasn't anything to decode.
In our customer's policies, I always try to enable this check.
Aaron
Javier_Checa_41I always try to keep it in two decodings, but sometimes I've had to set it to 3 (when not in the mood to teach lazy programmers how they have to do their job).
Javi
Edit: no performance impact at all.- hoolioThere are valid cases where the parameter values might be URL encoded more than two times. One example is XML element values in parameter values.
Aaron