cancel
Showing results for 
Search instead for 
Did you mean: 

"Illegal parameter value length" events when parameter is already at that value

Rahul_More
Cirrus
Cirrus

Hi,

The security policy is in transparent mode and when I enable block mode for site. The "Illegal parameter value length" logs are appearing in events request and the requested page is getting blocked. Even the parameter is already at that value.

 

Moreover, I set maximum value length at "Any" but still no progress into it.

 

F5 product:

BIG-IP v14.1.2.6 (Build 0.0.2)

 

Kindly recommend the solution for this issue.

8 REPLIES 8

Erik_Novak
F5 Employee
F5 Employee

Try adding the parameter, explicitly by name, to the security policy. Ensure that the byte length attribute for the parameter is configured for the appropriate maximum length. You can also try changing the value of the parameter wildcard to "Any" which will also prevent the violation but can leave you vulnerable to buffer overflow attempts or other byte-length related attacks. If you already have all the parameters added to the policy, and you know there won't be any additional parameters in the future, you can remove the wildcard. Don't forget to click both Save and Apply Policy options when you make your changes.

Ivan_Chernenkii
F5 Employee
F5 Employee

Could you provide parameter configuration and violation details?

Rahul_More
Cirrus
Cirrus

Hi Ivan & Erik,

 

Thank you for your response and supporting me with this.

 

Currently, there is in the traffic learning no new suggestions/sample requests are available and no related events we can see into Event Logs > Application > Request.

 

Below are the parameter and maximum Length which we have accepted from previous suggestions,

 

d User-input value [HTTPS] /scriptresource.axd Maximum Length: 500

__eventvalidation User-input value [HTTPS] /_login/default.aspx Maximum Length: 10000

__viewstate User-input value [HTTPS] /_login/default.aspx Maximum Length: 10000

ctl00* User-input value Global Maximum Length: Any

 

Note: Now the security policy is set as transparent mode and when enables blocking mode then user gets started ASM support ids and related violations for above parameter value lengths and it will keep asking to modify the earlier maximum length.

 

For reference, https://cdn.f5.com/product/bugtracker/ID911729.html

Please suggest if any engineering hotfix is available to get this issue resolved permanently or other workaround solution.

 

Regards,

Rahul

Erik_Novak
F5 Employee
F5 Employee

Hi Rahul, the bug report indicates that response logging is a condition for this to occur. Are you logging responses? If so, is it vital to log responses? Also, can you see the value of the parameter in the actual request? How much greater than 10,000 is it? You could try increasing the value of the wildcard parameter if it doesn't cause a security concern, and then see if the suggestions stop. You can also ignore the suggestion.

Rahul_More
Cirrus
Cirrus

Hi Erik,

 

The detected parameter values are odd numbers (Ex. 5674) and when I accept the suggestion then maximum value length will get change from 1000 to 10000. except than "ctl00" there is no new suggestion currently available in traffic learning.

 

As per recommendation in bug report, I have disabled the "Learn from responses" feature and now I am monitoring the web application traffic and will ignore the suggestions if the value is lesser than applied one.

 

Kindly suggest if any other recommendations please.

 

 

Regards,

Rahul

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello Rahul,

 

I am not sure that I got your use case - what are you trying to do?

Do you need to Learn parameters from response or not?

Are you interested in restricting parameters by value length or not? If not, then you can set maximum length to any or just disable appropriate violation (or at least disable Learn flag for it).

 

Thanks, Ivan

 

Rahul_More
Cirrus
Cirrus

Hi Ivan,

 

My questions is, I have already set maximum length Any to parameter "ctl00" but when I enable block mode for policy then an after again users are getting the WAF blocked error under the category of "Illegal Parameter Value Length" for same parameter.

 

How I can resolve this problem ? please advice.

 

Regards,

Rahul

Ivan_Chernenkii
F5 Employee
F5 Employee

Do you get "Illegal Parameter Value Length" violation for "ctl00" parameter? With what details (better screenshot)?

Did you apply policy after set length to any?