Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Header name with no header value

DrewW
Nimbostratus
Nimbostratus

‎12-May-2020 05:37 - last edited on ‎04-Jun-2023 21:27 by Fog

Hi,

We had to create a new App Security policy because technical support couldn't tell us why our old one wasn't doing anything after several days of working with them.

I am seeing some events for a rule that says: 'Header name with no header value'

Basically the request looks like this:

Cache-Control: max-age=88544
Connection: keep-alive
Accept: text/css,*/*;q=0.1
From: 
User-Agent: AdsBot-Google (+http://www.google.com/adsbot.html)

I'm not entirely certain how this poses a risk and it seems like it's blocking Google from crawling our website which makes it suboptimal. Are there a list of things that F5 thinks are security issues that just break your website that you have to disable?

Labels:
0 Kudos
5 REPLIES 5

Erik_Novak
F5 Employee
F5 Employee

‎12-May-2020 12:47

In terms of RFC2616 compliance, the empty From: header in your example is probably harmless, but in some cases headers with empty values can cause errors in some parsers. That is why it triggers a violation. You can turn off the block flag for the violation "Header name with no header value" if you determine it is causing a false positive. You have control over the blocking action for every single violation on the Learning and Blocking Settings page. According to RFC, the From request-header field, if given, SHOULD contain an Internet e-mail address for the human user who controls the requesting user agent. The address SHOULD be machine-usable, as defined by "mailbox" in RFC 822 [9] as updated by RFC 1123. Again, probably not malicious but informative about the clients that are accessing your app.

0 Kudos

DrewW
Nimbostratus
Nimbostratus
In response to Erik_Novak

‎13-May-2020 05:38

So does Google's crawler actually send it with an empty From: or not? Any clue? It could just be another scraper saying that its Google.
0 Kudos

Marvin
Cirrocumulus
Cirrocumulus
In response to DrewW

‎09-May-2022 12:35

Hi Drew had similar issue client is buying these Google services but for some Google crawlers the from header was empty.

https://support.google.com/webmasters/thread/110658424/adsbot-google-does-not-include-from-googlebot...

This was of course spoiling the WAF logs with false alerts so what we did is to strip the empty header with Irule when it comes in (bit nasty)

The another thing that should be improved is to mark this BOT as trusted as by default it is untrusted and you cannot overwrite that according to F5 support. So I agree with you this should be improved cause when you acquire their services it should be marked as trusted in my opinion.

0 Kudos

Erik_Novak
F5 Employee
F5 Employee

‎14-May-2020 11:19

Without some forensic data, it is hard to say based on that single example. The User-Agent string looks legit, but is easily spoofed. I am not an expert on Google's bots, but sending an empty header like that is certainly atypical from what we would consider normal browsing behavior. You could try implementing a bot defense profile, and then allow bots at your discretion. Bot defense will challenge all bots for which you don't specify an exception and prevent them from scraping your application.

0 Kudos

DrewW
Nimbostratus
Nimbostratus
In response to Erik_Novak

‎14-May-2020 12:13

Unfortunately even though we pay F5 a huge sum of money we dont have bot defense.
0 Kudos
Copyright © 2023 Khoros, LLC