Forum Discussion

smalex's avatar
smalex
Icon for Altostratus rankAltostratus
Jun 11, 2019

ASM- Bad HTTP version

We have implemented ASM last day and many requests are blocked stating: Bad HTTP version. Version is 1.1 but still its blocked. What might be the reason. Please Guide.

  • ASM will allow HTTP version 1.1. If you're getting bad version then you need to delve into the headers. If you can paste an example here then we can possibly tell you where things are wrong. After you paste, make sure to hit TAB as this will format it as code.

  • GET /sherya/wps/contenthandler/!ut/p/digest!oHOwO7o4KqyDRa6fZ4MVyg/searchfeed/search?queryLang=en_US&date=1&index=RemoteEJBSearchService::/opt/IBM/WebSphere/wp_profile/PortalServer/collections/HAD_FAQ_en&query=HAD License exams&pageSize=300 HTTP/1.1

     

  • This is not a valid URL. No wonder ASM is flagging it.

     

    "...HAD_FAQ_en&query=HAD License exams&p..."

     

    You can't have spaces in a URL. Its likely thinking "License" is the HTTP version.

    • smalex's avatar
      smalex
      Icon for Altostratus rankAltostratus

      Thank you for the reply. But Without ASM in place these were working. Shouldn't it have been blocked?

      • What is there to block it? Firewalls never see the URL in a SSL session, only the application sees the final request and it will either accept it or it won't. The request is definitely outside the spec for HTTP. ASM will never pass this kind of request as it fails protocol compliance. One of the very reasons Application Security Manager was designed to address.