cancel
Showing results for 
Search instead for 
Did you mean: 

unblock illegal parameters

THE_BLUE
Cirrus
Cirrus

what is the best practice for ASM policy?

If I have unchecked "illegal parameter" from policy, is this risky? or we can mitigate this by doing sth.

6 REPLIES 6

Ivan_Chernenkii
F5 Employee
F5 Employee

It depends on what you are trying to achieve... Could you provide a little bit more information about what issue you trying to solve by disabling this violation?

I have dynamic parameters, so each time asm block the parameter. That's why I'm asking if i have unchecked this violation is it risky ?

note that all parameter value with meta characters will be blocked.

so how illegal parameters affect website security?

There is no 100% correct answer is it risky or not - it depends on application.

If you know all parameters, which are allowed in your app, then defining such list and forbid all other parameter will be a good protection.

The more strict configuration you define, the better protection you will get.

 

As I see, there are several ways how you can avoid block by "Illegal parameter" violation without disabling it:

  1. If this dynamic parameter is dynamic session ID in URL, then you can use special "Dynamic Session ID in URL" policy setting to define it
  2. If this dynamic parameter is path parameter in URL, then you can create approriate positional parameter for that URL
  3. If this dynamic parameter is actual for specific URLs flow only, then you can define this URLs flow and create parameter with Parameter Value Type = "Dynamic parameter name" for it
  4. You can create appropriate wildcard or pure wildcard parameter to match this dynamic parameter. It should be better, then just disabled "Illegal Parameter" violation, because in such case you will have abbility to adjust enforcement for this dynamic parameter at least by properties of appropriate wildcard

 

Thanks, Ivan

THE_BLUE
Cirrus
Cirrus

If I have this parameters:

Terms[1].Groups

Terms[2].Groups

Terms[3].Groups

and so on,

I have create one parameter Terms[*].Groups , but the new parameter ex Terms[4].Groups does't match the wildcard why?

Hello,

 

This happens because you have special characters in name of wildcard parameter.

To make it work like special character you need to create wildcard parameter with name Terms\[*\].Groups

 

Thanks, Ivan

thank you , i will try that.