I have dynamic parameters, so each time asm block the parameter. That's why I'm asking if i have unchecked this violation is it risky ?

note that all parameter value with meta characters will be blocked.

so how illegal parameters affect website security?

There is no 100% correct answer is it risky or not - it depends on application.

If you know all parameters, which are allowed in your app, then defining such list and forbid all other parameter will be a good protection.

The more strict configuration you define, the better protection you will get.

As I see, there are several ways how you can avoid block by "Illegal parameter" violation without disabling it:

1. If this dynamic parameter is dynamic session ID in URL, then you can use special "Dynamic Session ID in URL" policy setting to define it
2. If this dynamic parameter is path parameter in URL, then you can create approriate positional parameter for that URL
3. If this dynamic parameter is actual for specific URLs flow only, then you can define this URLs flow and create parameter with Parameter Value Type = "Dynamic parameter name" for it
4. You can create appropriate wildcard or pure wildcard parameter to match this dynamic parameter. It should be better, then just disabled "Illegal Parameter" violation, because in such case you will have abbility to adjust enforcement for this dynamic parameter at least by properties of appropriate wildcard

Thanks, Ivan

Hello,

This happens because you have special characters in name of wildcard parameter.

To make it work like special character you need to create wildcard parameter with name Terms\[*\].Groups

Thanks, Ivan

thank you , i will try that.