cancel
Showing results for 
Search instead for 
Did you mean: 

ASM best practice to allow \\ in new sec-ch-ua header

Thierry
Nimbostratus
Nimbostratus

Hello,

 

Recently some of our developers have upgraded to msedge dev then beta, and these browsers (and maybe more chromium based browsers in dev/beta mode) are adding a specific Brand in the sec-ch-ua header, like this :

sec-ch-ua: "Chromium";v="85", "\\Not;A\"Brand";v="99", "Microsoft Edge";v="85"

 

The F5 ASM we use here (we use V11 and V13, but this problem appeared for now on our V11 boxes), does block these request as it matches the "IIS Backslash" vulnerability.

 

What does F5 recommend in this situation ? We had 2 choices (but maybe there's a 3rd one that's better and we didn't think about it), and we went for the 2nd one :

1st one : disable blocking on IIS Backslashes vulnerability

2nd one (current workaround) : disable all checks on the header itself.

 

Does F5 have a specific recommendation for this situation ?

 

Thanks in advance,

Regards,

Thierry

 

2 REPLIES 2

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello,

 

As I see, current workaround is pretty good. Also, you can disable only "Url Normalization" for "sec-ch-ua" header - it should be enough.

 

Thanks, Ivan

Thierry
Nimbostratus
Nimbostratus

Thanks a lot, Ivan.