For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohanad_313515's avatar
Mohanad_313515
Icon for Nimbostratus rankNimbostratus
Apr 11, 2018

Request Content-Length differs from actual request body length

I'm monitoring and checking event logs for security policy for a new virtual server, I found:

 

I tried a tool called fiddler to calculate request body length it gave me (Content-Length: 4009), so request body length is 4009 or 65536 ??

 

what is causing this issue? how to check it?

 

I have contact with the dev team, they have a workaround to disallow this value in the header from being sent, can I do the same on the BIG-IP via iRule or something, as far I know I can disable HTTP protocol compliance checks for unparsable request content but will disable a lot of sub-violations: https://support.f5.com/csp/article/K44162352

 

ASM Advanced WAF
security

3 Replies

  • Mohanad's avatar
    Mohanad
    Icon for Cirrostratus rankCirrostratus
    Apr 11, 2018

    hereunder the request details:

     

    Orginal request

     

    Request actual size: 66526 bytes.

     

    Request was truncated.

     

    POST /CPESSite/Main.aspx?module=CMS HTTP/1.1

     

    Host: x.x.x.x

     

    Connection: keep-alive

     

    Content-Length: 107190

     

    Cache-Control: max-age=0

     

    Origin:

     

    Upgrade-Insecure-Requests: 1

     

    Content-Type: application/x-www-form-urlencoded

     

    User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

     

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8

     

    Referer:

     

    Accept-Encoding: gzip, deflate, br

     

    Accept-Language: en-US,en;q=0.9

     

    Cookie: ASP.NET_SessionId=pag0eyb1w4wozbub41yevxnt; __AntiXsrfToken=e475b8e564504f8ea3a787d9612025a8; AuthToken=6dfe0ac5-9892-4b27-bb08-53868a027111; TS0129144f=01441a34f8d97de5526f6b4fd247b716f9d01d3faa3aaade07262d37b37a657d25c5a1c4a03fae4d33b561d4c8261f73c1af53275e4aeeb02abb76f8df76f50f91a297bbd9c578fa9451c9bec58035056dc08bcc6119f00869035544c9802c13012716840f

     

    X-Forwarded-For: x.x.x.x

     

    RadScriptManager1_TSM=%3B%3BSystem.Web.Extensions%2C+Version%3D4.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D31bf3856ad364e35%3Aen-US%3A5b26ea0c-07c7-4ade-acc6-bb37f156b712%3Aea597d4b%3Ab25378d2%3BTelerik.Web.UI%3Aen-US%3A0e2aaed8-3b29-4dda-bbe2-51b16609be9a%3A16e4e7cd%3Af7645509%3A22a6274a%3Aed16cbdc%3A24ee1bba%3A874f8ea2%3Ac128760b%3A19620875%3Af46195d3%3A92fe8ea0%3Afa31b949%3A490a9d4e%3A11a04f7e%3Ae330518b%3A2003d0b8%3A1e771326%3A88144a7a%3Ac8618e41%3A1a73651d%3A333f8d94%3Ae524c98b%3A6a6d718d%3A4cacbc31%3A2a8622d7&RadStyleSheet1_TSSM=%3BTelerik.Web.UI%2C+Version%3D2014.3.1209.40%2C+Culture%3Dneutral%2C+PublicKeyToken%3D121fae78165ba3d4%3Aen-US%3A0e2aaed8-3b29-4dda-bbe2-51b16609be9a%3A92753c09%3A5c0abcde%3Aed2942d4%3A1f65231b%3Aa3b7d93f%3A5951aeec%3BTelerik.Web.UI.Skins%2C+Version%3D2014.3.1209.40%2C+Culture%3Dneutral%2C+PublicKeyToken%3D121fae78165ba3d4%3Aen-US%3Aef5dbad4-8876-491e-8893-6b349454b1fa%3A311bfd78%3A9aadcb00%3Ad041fe4f%3A579a1b90%3A3ad65a3&__EVENTTARGET=RadTreeView3&__EVENTARGUMENT=%7B%22commandName%22%3A%22Click%22%2C%22index%22%3A%220%3A3%3A0%22%7D&__VIEWSTATE=Y2Q%2F%2F%2FYhmwnPV5X%2FCTSI66dNaZNkrFbNcsKNGXSMiM2NN6DM8OGgIJ1JS2RAEiWM43%2F2jmGQm3AglzaObIGc2oX1Y0qxwt1K0bmocMhcC6n5myemYiIgOl3y0%2B%2FlDgIUsFnEelQ%2BHZYNY6zfs9CIGD9c0bD00h0ao5qHMHolR%2B6ag9hvvXl7LsiYrxjVn1FKFf0aEY5N7Ic9OQNFjwSHBPRJCdDV6wSm03lyLuF4Sg6KjX2EYVRk7r4MGwWw3GtaaN8a2LZdiuWnQ%2BUY%2BXGYbJQfHOtO0TzkFY5A8BGMf7XNYL1PDYDAu8mPKbPlyBH0EHcsH792cq5%2BmVW2GDZnJnfqlRiCzrhJzelou6K7FnuQobLM5%2BC2VfBytfyAmZfaP70BhkRXNyBQ7x4iRu1w63Yy093zID0UWfUAaoqhhd36yViJYTUt%2FHudqKuQdhlG8xJ%2F7qLC8QinnG20ZrA%2FeQKkuev2OnWVoYurF07LA0pVS6BgfPrUQQYky6JKS2oIsed3Jvji1JeEQYEBLecAcUGLSMKbAHIwjdMrh6anZleyG5a55bhOYEVUdc9C2mQmZPUM7AF3rSp28O2i7nCi2VSnjTTsKLs4ndYolQO15VlQVhqLYcJOXfklb02rYAAeCWqChGFKucH8C9FvAQA4b%2Bw9dnrBL4UJ83J7cZeC36xZu1mARYayvcvAI%2BUYtOkQ7hW0czLDL%2BxCCaN%2BoxBRhC0CvirRdhp%2BYykgTb93LuOaXd5hQFA2imFWBdEY3EBDKd8ROSHrFfFQl47xyhprKMWc0gMUrLqIKoq8EdKNkIhIAuDcx0ZK07ZqyYyYV%2B7420AHDgMfYb%2FaYEliTRExUEtx%2FJyzdK7hisalyknzGVamcdvv4MBO48p5R8gHpggDm0xYZgIya4Sx5xxZHjT5F2HFLRo10xS1bPB9q%2ByXsbZLuXfVJGm7%2FTN2o8Xj7AiBrUETWj215CGSG5aLLqUGgRwyJ4d8%2FJWWrHGMEaylwc6%2Fq9o4ESXB4xpWdKyLUVzsTysDK1td1fCraqmIQQ2UtAHt9UVip9jMIFh77l61x84QpgKjhtcMQvtbbnaPJ%2FdDkMfY2hseNxUv2l2zPiOFqULU2LqcqcaCUpyyCbMgCuTFgH2cHLKIkz0vp4UnDDNmeT6pJm8qvAlk73nJjUUG4cdPMAsa%2F9rZnNHOCY7c3BZ%2Fd6gvxhn%2BjEE5IP22%2FVm2iVsCNjwfZVJZ8Gwhd%2B7bRf3Gqskp%2F0w1Ek73dTyVZWHHz546zsz5KtdYJNoaXoToOXnTwYFPyUs3TqjLkUT0R36AsWuVJ4MhD%2Fv6Sk7HWfHioHQuiyBIbG6wEAOr%2BiSKgYC4K8i%2FFDNqiv0zG0UAL%2FhRN7MmhzxMEYIa0r4np035sqh5nYaaeVZBKIvXEDU0CsgkqmI1Bnka44pUogrtU%2FQqvLBZVQXarN6Kpe2QE%2F2D2hQ795lAx3u%2FuSba0szrj5JZorC1ORO3d6S1eJGNh2XMiQUidPU6MEroNW%2BHjBYsME%2FqopTb432g56dYCv%2B9FdyLHyJ%2BV6DaCZk%2B0cfm4jmLHPC2c2VfbyIOM%2BMzFAa8kb06e8Sfs1tk2NCqfG%2FyalNn4fbRHwFxhLVYnMHTticwKc7mQizE0PZfsgSvUsXbigXEyfLasHVw%2ByA9Hifm7T6SKGL%2FDQR8afgKoJd17RUdEapJNUDu5P5HAoCipIBCx1auepddliizxeQ8FvyjDIe6%2FUkVr1IDxnMT0S7TO8uS7B%2FVVeRIq6%2BbC87LuztmUbHkRL9Fb70%2BsWEd9JBJFhBhObuqmqAPJ9RcqkCc7%2Bgg1O3mfZEtk7fyBOcxtLxk2GKSKRLAi9vjxWEE5FhwY1h%2Fn%2F5y9bqc1DMj%2FrQIZqHzkYFuD41s%2FV9d70RqirivcniutsGgxhEoGc6Ml4ur4ig4MrpTj8zEHzcKSXVkwBeC5UCCvXwcQ7Z4Vn%2F4%2BH%2FGatJcX9D0w%2Brs%2BJup%2BESApjB1RmJa%2BYooTUg3Q3UbHR1h0%2BGu5yPkctW2MgkjmINOowJQzHEK1mSzMEdLYEdbxJ1csWEoGMj2m1wRY5RARX8V7xyuX6%2BoYasgzcZ1MZXeoywl27QlYH4Zgj8Y4gPa2DBVYf5GimqrqSclKbiXC8628pkTE0YULiE9YSdtpyMsuSoRExqoIQON6ug92KsPbpDf5kYcJ8dtBTJUwLW8C46RA92eiMnaYhuwEi7sTDNju0ZM7RWyiejF0CiBKJdX1ypv%2FVSGxcIl%2Fnt1kiW02dPDvV7PyRS%2BZC8IFvfmbsNzx7XyRtgsDnulUpb8yJ2tnCMvMvozLhqrZGJhxdQ6zIeXuSh7LyaSa4PLDBmNK%2FEeDAZMB237UdMiSLjCBtKgxNMOsAEsD8KOlnt3zhiRwlM6%2FiLHgXElwfZreBx57fmr27C%2BN1LdDfqmBzfgbYKkHIufwB75RHHgP58hMJsS%2B0ubY4y7TxJDt3s5VhSPNn%2FG7UeuxhMneUhOqGpU9SY4KQd6YCscUR33RhQ2aaKPJcURWLgxW9yrP1CNLtehnqdtZxBdrBTnAAF8QWo7REcnQqzn3J82on2ADShtgUtnxsOeyIPJhmQCBuXUbut4fJlnJnSJSo4FWkM64NeSnpBg9%2BCAnyFY%2By7S%2BBMv66PTe6taVEEY8RcQb6h%2FbpwtTcphL9M3xVO0UMhaiEeTCZ%2BwgpKfVwKr6%2Be9jEa5aNEL8wZge4o%2FaOUsKEjoanU6LhTypcanHAu7gp9

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 11, 2018

    hello,

     

    The BIG-IP ASM system checks HTTP requests for unparsable content as part of HTTP compliance enforcement. When the HTTP parser cannot parse any part of an HTTP request, the system triggers a violation. This article lists the subviolation checks for HTTP protocol compliance that the system applies to HTTP content requests.

     

    https://support.f5.com/csp/article/K44162352

     

    increase this limit in the ASM instead of accepting(disabling) this violation in this menu: Security ›› Options : Application Security : Advanced Configuration : System Variables : ecard_max_http_req_uri_len.

     

    Then restart asm service: tmsh restart sys service asm

     

    Regards

     

  • Prasad_Chowdary's avatar
    Prasad_Chowdary
    Icon for Nimbostratus rankNimbostratus
    Nov 26, 2018

    Hi Mohanad,

     

    I ran in to the same issue, can you provide me the what you did to fix this issue.

     

    Thanks in advance.

     

    Thanks, Prasad Meka