Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ASM - Disable violation for a specific URI

F5Team
Altocumulus
Altocumulus

‎31-May-2023 03:16

Below is the violation detected for a certain URI. We are looking to disable only for this specific URI

Evasion technique detected [1]
Detected Evasion Technique Bad unescape

Parameter Value
"1.0"?<UserName>xxxxxxx</UserName><UserPassword>Hello123%</UserPassword><CurrentDateTime>2023-05-29</CurrentDateTime><UserType>U

ssword>Hello123%</UserPassword><

(Password contains the character '%')

1. Would the following iRule help? Can we also include character of the parameter value to the iRule to be more specific (ASM::violation details, parameter_data.value)

when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "Evasion technique detected" and [string tolower [HTTP::uri]] contains "URI"}
{
ASM::unblock
log local0. "ASM unblocking [HTTP::uri]"
}
}

2. Would adding a return carriage or a space to the html code before the </UserPassword> work?

Labels:
0 Kudos
2 REPLIES 2

Mohamed_Ahmed_Kansoh
MVP
MVP

‎31-May-2023 04:20

Hi @F5Team , 

you can use irule like you wrote above also see these Article about 1-ASM irules , 2- how to get the correct name of the violation to specifiy it in the iRule: 
 > https://my.f5.com/manage/s/article/K15573541
 > https://my.f5.com/manage/s/article/K37744422

But what if another violation under ( Evasion Technique Detection ) other than Badunescape one. 

I would recommend to adjust the system variable attribute "ecard_max_http_req_uri_len" to higher value but you need to do that in a maintenance window because you need to restard asm deamon service for the changes to take effect , to do that please refer to this article : 
https://my.f5.com/manage/s/article/K000092642
you will find within it another article with the steps.

I hope that helps you 

_______________________
Regards
Mohamed Kansoh
0 Kudos

F5Team
Altocumulus
Altocumulus

‎05-Jun-2023 02:06

Thanks
We've used another option "Security Policy Microservices", which can be applied to more specific traffic.

This unblocked 'Bad unescape' only for that specific URI.

1) Go to Security  ››  Application Security : Security Policies : Policies List  ››  Policy name 

2) Select Microservices --> Create --> as shown in the screenshot.

 
Preview file
195 KB
0 Kudos
Copyright © 2023 Khoros, LLC