Forum Discussion

Aantat's avatar
Aantat
Icon for Cirrus rankCirrus
Aug 01, 2023

Unable to mask XML parameter

Hello F5 experts,

I was configuring AWF policy and faced a problem with masking value of XML parameter. but without success.

I've imported XML scheme. I've configured Value Masking according to the documentation. I've tried to configure it as a Sensetive Parameter, but without success.

What am I missing? What should I set up? Where am I making a mistake?

I will be glad for any help.

application delivery
security
    • Aantat's avatar
      Aantat
      Icon for Cirrus rankCirrus
      Aug 02, 2023

      I followed that KB but I'm still facing same issue. It's not working

  • Robinsdf's avatar
    Robinsdf
    Icon for Nimbostratus rankNimbostratus
    Aug 02, 2023

    Hello,

    If kyou are facing a problem with masking XML parameter value in AWF policy. Imported XML scheme, configured Value Masking as per docs, and marked it as Sensitive Parameter but unsuccessful. Check XML schema alignment, review masking configuration, and test with sample XML payloads. It can be solution.

  • Aantat's avatar
    Aantat
    Icon for Cirrus rankCirrus
    Aug 02, 2023

    Hello experts,

    I'm still facing the issue with masking parameter value. I've tried lot's of combinations in Header-Based Content Profile, but no success.

    Could the problem be that the value of the Content-Type is the 'application' and not the 'xml'?

    How can I validate my XML scheme? Could the problem is wrong XML scheme?

    Added some screenshots with requests and example of configurations.

    • Ismael_Goncalves's avatar
      Ismael_Goncalves
      Icon for Employee rankEmployee
      Aug 08, 2023

      Aantat "Could the problem be that the value of the Content-Type is the 'application' and not the 'xml'?"

      That's correct. Your Content-Type is 'application/x-www-form-urlencoded' which will not match the *xml* Content-Type expected to trigger the XML parsing and XMl profile assisngment. Hence, the data won't be masked. 

      If all the requests to this URL are expected to be XML even if the request does not present the correct Content-Type, you can configure content-type '*form*' and treat it as an XML.