Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Can't upload msg file - ASM block

Go to solution
THE_BLUE
Cirrus
Cirrus

‎04-Oct-2021 22:43

WAF block my request due to " attack signature detected" when try to upload msg file , and the Context : HTTP Request Body Unparsed Payload.

the request is look like this :

Content-Type: multipart/form-data;

Content-Disposition: form-data; name="sth.msg" fileName="sth.msg"

the name of parameter take the same name of file upload with each request, so how can we solve this?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎06-Oct-2021 12:18

This looks correct, though I don't have any lab where I could test this at the moment.

Your configuration would apply anytime the Content-Type header value is multipart/form-data.

The Request Header Value allows wildcards. You could try to narrow down to Do Nothing only for .msg files by testing this combination:

 

Request Header Name : Content-Disposition

Request Header Value : form-data; name="*.msg"; filename="*.msg"

Request Body Handling : Do Nothing

 

EDIT: A word of caution. You should consider to what risk you are exposing your application when not checking these uploads.

View solution in original post

7 REPLIES 7

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎05-Oct-2021 07:01 - last edited on ‎24-Mar-2022 01:26 by Fog

Hi , 

 

I guess this discribes your blocking message and a possibe solution:

K32081491: ASM blocked a request due to Attack Signatures triggered with Violation Context AMF body

 

KR

Daniel

 

0 Kudos

Go to solution
THE_BLUE
Cirrus
Cirrus
In response to Daniel_Wolf

‎05-Oct-2021 22:24

Dear Daniel,

Many thanks for sharing.

For Request Header Name, enter an explicit header name that must appear in requests for this URL.

 

so in my case i have to do like this :

Request Header Name : Content-Type

Request Header Value : multipart/form-data;

Request Body Handling : Do Nothing

0 Kudos

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎06-Oct-2021 12:18

This looks correct, though I don't have any lab where I could test this at the moment.

Your configuration would apply anytime the Content-Type header value is multipart/form-data.

The Request Header Value allows wildcards. You could try to narrow down to Do Nothing only for .msg files by testing this combination:

 

Request Header Name : Content-Disposition

Request Header Value : form-data; name="*.msg"; filename="*.msg"

Request Body Handling : Do Nothing

 

EDIT: A word of caution. You should consider to what risk you are exposing your application when not checking these uploads.

Go to solution
THE_BLUE
Cirrus
Cirrus
In response to Daniel_Wolf

‎07-Oct-2021 02:05

Many thanks, i will test that.

Thanks for the note, sure I will.

0 Kudos

Go to solution
THE_BLUE
Cirrus
Cirrus

‎11-Oct-2021 02:15

I have test that but still the same issue is still exist.

0 Kudos

Go to solution
Daniel_Wolf
Nacreous
Nacreous
In response to THE_BLUE

‎11-Oct-2021 10:01

As said, I don't have a lab that I could use to test your particular case.

Did you try with this combination too?

 

Request Header Name : Content-Type

Request Header Value : multipart/form-data;

Request Body Handling : Do Nothing

 

Maybe the Request Header Value is just not matching with the wildcards?

Go to solution
Nikoolayy1
MVP
MVP

‎22-Feb-2023 03:53

The strange thing is that I as well may test this solution as I have a query paramater in a POST request (strange yup !) that is for file upload with Content-Type: application/xxxx but F5 ASM/AWAF still is trying to inspect the body and thinks that the file body is another Parameter name and I get "Failed to convert character" and "HTTP protocol compliance failed", so making the query parameter of type file upload just can't stop the F5 to try to understand the body and try to check it 😁

0 Kudos
Copyright © 2023 Khoros, LLC