Forum Discussion

Ashish_205344

Nimbostratus

Aug 16, 2017

Risk excepting "xml data does not comply with schema or wsdl document"

I have setup a XML Profile and getting some requests blocked due to "xml data does not comply with schema or wsdl document", after analysing the requests if my SOAPAction header is blank the request ...

ASM Advanced WAF

security

samstep

Cirrocumulus

Aug 23, 2017

Adding exception means that you can miss an attack. If you believe that the culprit is the empty SOAPAction header then it might make sense to remove it with an iRule if it is empty before the request hits the ASM policy.

The empty SOAPAction header is a bit of a grey area really coming form a 17-year-old spec dated year 2000 while the HTTP spec from 1999 says that each header must have a value...

You may have hit an interesting case, I suggest that you raise a support case with F5 with examples of ASM behaviour you are observing with SOAPAction being empty, having two sets of double-quotes and the action as value.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)