Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM - Best way to filter out requests containing tilde ~ character?

For PCI, they don't like IIS accepting requests with Tilde (~) characters.

I'm presuming ASM is the perfect place to apply a fix for this, can someone help?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This answer is pulled off of a 12.1.0 box (simply because that's what I have up at the moment), but you can disallow characters here:

Security ›› Application Security : Parameters : Character Sets : Parameter Value

tilde appears to be disallowed by default.

0
Comments on this Answer
Comment made 03-Mar-2017 by PowerShellDon 112

Hm.. i have that disallowed already, but still i can browse to www.site.com/~~ (which is what the ASV scans will do) and nothing is blocked, i presume because this is a banned parameter value, not a banned URL/string? Any other ideas?

0
Comment made 03-Mar-2017 by Amine Kadimi 675

You have this in the URL settings too: Security ›› Application Security : URLs : Character Set

0
Comment made 03-Mar-2017 by PowerShellDon 112

I also have it there as Disallow.. but it isnt blocked?

0x7e ~ Disallow

Under Blocking/Learning settings, i have "Illegal meta character in URL" ticked for Block & Alarm.

But can still browse to www.site.com/~

0
Comment made 03-Mar-2017 by Chris Grant

If your policy is in blocking, you have the relevant setting set to block, and you have the metacharacter disallowed and it's still not blocking, I would suggest opening a ticket with support. At this point we will need to look at your actual policy, as well as an HTTPWatch of the session. You should be sure to run your asmqkview --add-request-log

Note that if you are running an older version of our software you may need to use a different flag to include your request logs.

0
Comment made 03-Mar-2017 by Amine Kadimi 675

Make sure you don't have the wildcard * in staging in your Allowed URLs list.

0
Comment made 06-Mar-2017 by PowerShellDon 112
  • is not in staging. I will raise a support call thanks
0
Comment made 13-Nov-2017 by Franco 175

Hi! I have the same issue in my Lab, have you fix it?

0