Forum Discussion

tatmotiv's avatar
tatmotiv
Icon for Cirrostratus rankCirrostratus
Mar 08, 2022

HTTP header name with underscore cannot be masked in AWAF logging

Hi all,

I'm currently facing the situation that I need to mask the value of several http headers in AWAF logging. I have setup both headers in identical manner within the application security policy, both with "Mask Value in Logs" option enabled:

 

Now, when I issue an http request like that with both headers being present...

...one of those headers will get masked/obfuscated in the logging, the other will not:

I suppose this is due to the underscore in the http header name. I am aware that the use of underscores in http header names is discouraged and considered deprecated, but nevertheless these are present out there and there has to be a solution to this. 

TMOS version is 15.1.5

Has anybody experienced a similar situation and knows how to circumvent this? Any help is appreciated.

Many thanks in advance,
Martin

 

 

 

5 Replies

  • Hi tatmotiv,

    đź‘Ť for the nickname. Works for me in 16.1.

     

    Following settings:

    Just checking the obvious... Did you apply the policy after making those changes.
    General hint, stay away from headers with underscores. They are uncommon and some web servers don't play well with them.

    KR
    Daniel

    • tatmotiv's avatar
      tatmotiv
      Icon for Cirrostratus rankCirrostratus

      Hi Daniel - nice to see you again!
      (we met before - you gave an AWAF training at my company last year, remember?)

      Of course, I applied the policy with all of those settings being active, so that's not the problem. I did some additional tests in the meantime with quotation marks after colleagues pointed me here, but things got even weirder then. Now, I have included two headers with underscores im my request (for testing purposes).

      One can be masked in logging, but only when I configure the header name BOTH with AND without quotation marks (either of this alone would not work).

      The other cannot be masked at all in any constellation (quoted only, unquoted only, both quoted/unquoted).

      I presume a bug here and probably will open a support case for this.

      • Hi tatmotiv,

        yes, I do remember the training. Nice to see you here too. Remember I told you on the training - if you ask an AWAF question here, chances are not too bad you will get an answer promptly. 🙂 

        Odly, this works also on my 15.1.5 box.

        I couldn't find a known bug either for this behaviour. 
        Can you share an example of your working config with the double quotes?

        KR
        Daniel