For PCI, they don't like IIS accepting requests with Tilde (~) characters.
I'm presuming ASM is the perfect place to apply a fix for this, can someone help?
This answer is pulled off of a 12.1.0 box (simply because that's what I have up at the moment), but you can disallow characters here:
Security ›› Application Security : Parameters : Character Sets : Parameter Value
tilde appears to be disallowed by default.
Hm.. i have that disallowed already, but still i can browse to www.site.com/~~ (which is what the ASV scans will do) and nothing is blocked, i presume because this is a banned parameter value, not a banned URL/string? Any other ideas?
You have this in the URL settings too: Security ›› Application Security : URLs : Character Set
I also have it there as Disallow.. but it isnt blocked?
0x7e ~ Disallow
Under Blocking/Learning settings, i have "Illegal meta character in URL" ticked for Block & Alarm.
But can still browse to www.site.com/~
If your policy is in blocking, you have the relevant setting set to block, and you have the metacharacter disallowed and it's still not blocking, I would suggest opening a ticket with support. At this point we will need to look at your actual policy, as well as an HTTPWatch of the session. You should be sure to run your asmqkview --add-request-log
Note that if you are running an older version of our software you may need to use a different flag to include your request logs.
Make sure you don't have the wildcard * in staging in your Allowed URLs list.
Hi! I have the same issue in my Lab, have you fix it?