Forum Discussion

PhilippeG's avatar
PhilippeG
Icon for Nimbostratus rankNimbostratus
Oct 25, 2021
Solved

Define allowed character in ASM for JSON parameter

I'm intercepting a POST with JSON parameter and I want to check the content but I'm not able to see where to define allowed character, length and type of each parameter

I defined my parameters as JSON value

If I post following request, it's working

<code>

{

  "data": {

    "type": "enrollment",

    "attributes": {

      "fire": "t",

      "app": "t",

      "installation": "t",

      "credential": "t",

      "phoneNumber": "1"

    } 

  }

}

</code>

This one is also working

<code>

{

  "data": {

    "type": "enrollment",

    "attributes": {

      "fire": "f",

      "app": "f",

      "installation": "f",

      "credential": "f",

      "phoneNumber": "1"

    } 

  }

}

</code>

But If I post following content, it's blocked with error message that I have "illegal character" (It's the same character as above but I have two character in the value instead of one)

<code>

{

  "data": {

    "type": "enrollment",

    "attributes": {

      "fire": "tf",

      "app": "tf",

      "installation": "tf",

      "credential": "tf",

      "phoneNumber": "2"

    } 

  }

}

</code>

So where can I define the length and type of each JSNO value ?

  • Are you sure those are JSON values and not user-input values?

    Do you have an OpenAPI Spec file to verify?

     

    Since you are running on 15.1.2.1, as  stated - if you have a OpenAPI Spec file can you create a policy "REST API Security (Open API Spec) " with the Guided Configuration?

     

    KR

    Daniel

9 Replies

  • Hi  

    Thanks for the reply. I already had a look to this page and I also checked "character set" in "application security - Content profiles - Character sets - JSON content" and in "application security - Parameters - Character sets - Parameter Value/Name".

    What I don't understand is why it's accepted when the character is in first position in the value but not when he is in second position (or more)

    KR

    Philippe

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      Sorry, maybe I was on the wrong track.

      Does this violation occur with any combination of more than one character in the value?

      Or only when the f is in second position?

      Or on any character in the second position?

       

      EDIT: Did you change the Default JSON profile?

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        Are you sure those are JSON values and not user-input values?

        Do you have an OpenAPI Spec file to verify?

         

        Since you are running on 15.1.2.1, as  stated - if you have a OpenAPI Spec file can you create a policy "REST API Security (Open API Spec) " with the Guided Configuration?

         

        KR

        Daniel