Forum Discussion

Aurel's avatar
Aurel
Icon for Cirrus rankCirrus
Feb 12, 2019

Content-Type header in body

Hello guys, I have an application that behaves not really RFC compliant, crafting request with Content-Type header after a CRLF. The request is a multipart/form-data.

 

ASM is then considering this as a block of data and parsing it the wrong way.

 

I am preparing to set an exception for this, and would like to set the best one. I'm thinking of URL+ method= signatures exceptions (until news one may appears and may require no signatures check at all)

 

Thanks a lot for any share of experience.

 

ASM Advanced WAF
security

2 Replies

Sort By
  • samstep_81205's avatar
    samstep_81205
    Icon for Nimbostratus rankNimbostratus
    Mar 04, 2019

    RFC violation is pretty serious and the risks are quite high - just Google for "CRLF Injection" to see the dangers of such attacks.

     

    You should really speak to application developers to get them to fix this and remove the CRLF injection vulnerability. If fixing the application code is not possible then you need to very carefully consider the exception - you might need to do it with an iRule and only allow the exception from Trusted IP address rather than the whole Internet.

     

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Mar 04, 2019

    RFC violation is pretty serious and the risks are quite high - just Google for "CRLF Injection" to see the dangers of such attacks.

     

    You should really speak to application developers to get them to fix this and remove the CRLF injection vulnerability. If fixing the application code is not possible then you need to very carefully consider the exception - you might need to do it with an iRule and only allow the exception from Trusted IP address rather than the whole Internet.