For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gumshoe's avatar
Gumshoe
Icon for Altostratus rankAltostratus
Nov 30, 2023
Solved

ASM blocked request contains & (ampersand) symbol in parameter value

ASM thinks that in a parameter value the "&" and space is the beginning of a new parameter and thus blocks on AMF body context for a command execution signature and does not check the built parameter. 

Should it be recommended to the developers that they encode their "&" throughout their request to not confuse the ASM or just have them not use that charater in their input fields?

example:  &BuiltParameter=Chocolate&0x20MSG0x20

 

ampersand
asm
devops
encoding
parameter
security
  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    Nov 30, 2023

    Hi Gumshoe,

    BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

    A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

    The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters. 

    & is used in a url as a parameter separator and is a reserved keyword or 

    Recommended Actions

    Use url encoding if you want & to be part of the parameter value

    The url encoded value for & is %26

    eg.

    param3=hello%20%26%20world

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

     

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

    HTH

    🙏

     

     

     

2 Replies

  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    Icon for MVP rankMVP
    Nov 30, 2023

    Hi Gumshoe,

    BIG-IP ASM supports the ampersand & symbol as a delimiter between parameters

    A parameter is a piece of information within a web application, such as a user name, address, credit card number, or phone number.

    The BIG-IP ASM system supports the question mark symbol (?) as the separator between the path and query string of the URI. However, the BIG-IP ASM system only supports the ampersand symbol (&) as a delimiter between parameters. 

    & is used in a url as a parameter separator and is a reserved keyword or 

    Recommended Actions

    Use url encoding if you want & to be part of the parameter value

    The url encoded value for & is %26

    eg.

    param3=hello%20%26%20world

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

     

    If characters & and = are part of the parameter value, it must be encoded to %26 and %3d

     

    string1%26string2%3dstring3

    HTH

    🙏