Forum Discussion

Aurel's avatar
Aurel
Icon for Cirrus rankCirrus
Feb 18, 2019

ASM : Context AMF Body

Hi, I am having several signatures match for a content of a png file upload, and also an HTTP compliance violation (Bad multipart parameters parsing : Chunk value does not contain any CRLF).

 

ASM is seeing AMF content but it is not actually. Why ASM is unable to see lots of parameters inside this multipart/form-data request ?

 

How fine can i set those exception is the question that i am wondering.

 

I'm afraid a signature exception at the whole policy level is the answer.

 

Any thoughts are much welcome.

 

6 Replies

  • Hi, hopefully this is still relevant.

     

    The AMF body context is used to place the entire POST body into a single parameter value for purpose of applying signatures. As you probably saw though, this results in many false positives and removes ability to control overrides and content handling at the parameter level.

     

    The reason AMF body is happening is usually because the multipart request is not proper RFC. If you enable the "bad multipart request" violation in the policy at alarm level you will likely see this violation is occurring as well. If this violation occurs we cannot parse the parameters in the multipart request therefor we fall back to using AMF body.

  • Hi,

    I can't remember how i've handled this. I'm sorry. It was and old TMOS 11.5.3 version that is now upgraded.

    What i've understood is that a multipart type of request has a strict structure, and when something is not strict as ASM is expecting, then ASM is switching to another AMF parsing (binary type).

  • Mica's avatar
    Mica
    Icon for Nimbostratus rankNimbostratus

    Hi,

    Specifying that the parameter is used for file upload was working for me in version 11.5.1. Signature checks was not initiated for the binary code of the file so that prevented a lot of false positive.

    Now, in version 13.1.1, ASM is seeing AMF content instead of binary file upload and trigger a lot of signatures and violations. For now the only workarouand I can see is to disable all signatures on the URL but it's not a good solution.

  • Mica's avatar
    Mica
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    Thanks for the reply, it's obviously still relevant for me, great explaination.

    I'm not sure at 100% but I don't remember seing this AMF body events in v11.6. We recently migrated from v11.6 to 13 and I'm almost sure that I noticed this bad POST request parsing only after migration. Our application didn't changed for years and this happened only with several files on some forms-data.

     

    I'll enable "Bad multipart request" violation and try to reproduce the issue.

     

    Thanks, regards