Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Http requests with the question mark symbol "?" in the URL are not being blocked although disallowed in the URL character list

Go to solution
Wasfi_Bounni
Cirrocumulus
Cirrocumulus

‎03-Mar-2021 12:15

Hi;

 

Http requests with the question mark symbol "?" in the URL are not being blocked although "?" isdisallowed in the URL character list.

 

for example http://www.xyx.com/?/file.extension

 

Kindly

Wasfi

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Simon_Blakely
F5 Employee
F5 Employee
In response to Wasfi_Bounni

‎03-Mar-2021 13:58

You would either do that in an irule (on HTTP_REQUEST)

 

Or look at the

Security  ››  Application Security : Parameters : Parameters List  ››  Parameter Properties

for the * (wildcard) parameter

 

In the Name Meta Characters tab, select

Check characters on this parameter name

 

/ is already disallowed in the metacharacters

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Simon_Blakely
F5 Employee
F5 Employee

‎03-Mar-2021 13:10

That question-mark isn't part of the URL - it is the Query Separator.

 

The URL is /

The Query String is /file.extension

 

Query string

0 Kudos

Go to solution
Wasfi_Bounni
Cirrocumulus
Cirrocumulus

‎03-Mar-2021 13:37

Thank you Simon. My aim is to block a URL that have the quetion mark in the manner asked. i.e. followed by any / character. However, if the question mark comes after the final / in the URL path, then I want it to be allowed: For example: http://www.xyz.com/abc/klm/file.php?

 

As I said, the question mark symbol is disallowed in the ASM policy under the URL character set section.

 

Kindly

Wasfi

0 Kudos

Go to solution
Simon_Blakely
F5 Employee
F5 Employee
In response to Wasfi_Bounni

‎03-Mar-2021 13:58

You would either do that in an irule (on HTTP_REQUEST)

 

Or look at the

Security  ››  Application Security : Parameters : Parameters List  ››  Parameter Properties

for the * (wildcard) parameter

 

In the Name Meta Characters tab, select

Check characters on this parameter name

 

/ is already disallowed in the metacharacters

0 Kudos
Copyright © 2023 Khoros, LLC