Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Fileupload blocked by ASM-policy

Hello, we have a website for our customers to provide binary file upload. Sometimes this upload will be blocked by the security policy of this vip. The reason is for example a matching attack-signature for command execution like "..".
We tried to allow this specific url in the policy and set the option "don't check", but file upload is still blocked.
How can i force ASM to not check the binary data in a "put"- or "post"-request?

The Request looks like this:

PUT /secure/customerarea/upload/file HTTP/1.1
Host: www.website.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: */*
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X_FILE_ID: D2F239435200F14766EAB6F0F8E37B46
X_FILE_NAME: corrupted_upload.dpo
X_FILE_EXTENSION: dpo
X_TOTAL_FILE_SIZE: 58762084
X_CHUNK_SIZE: 1048576
Content-Type: application
Content-Range: bytes 34603008-35651584/58762084
X-Requested-With: XMLHttpRequest
Content-Length: 1048576
DNT: 1
Connection: keep-alive
X-Forwarded-For: 192.168.76.1

Bq?=#??!?"?????i5??4Z?????.?r
??W?K??b&?q:mAv?o?lOF?l j?t[>b??n{???wC????Jo#?s?m5??^??A?8????v-?????`??wc?O? ???? ?l?grfF_9? y????l??6??%   ?2?@?O????t??  ?[??|????????Gr????m9???5f?=X0??8],?'???bS?ZdR?0????6_?:?G?????IHt?buZ?cOyx?#?G?)????x?]?s;
B??c??

Troubleshooting steps we have taken:
* allow specific url with option "don't check"
* allow specifig url with parameters for file-upload
* deactivate asm-policy for specifig url via irule (example-code from F5-Devcentral won't work, cause of Version 11.4)

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hey there! I tried to set a wildcard parameter for this url to have the possibilty to use the "learn"-button. But the ASM won't recognise any parameter, cause there isn't one. It's the paylod itself that causes the problem. Remember, it's a put/post request and nothing i can handle through a get-parameter.
A big encrypted file is splitt into 1MB chunks and this chunks are transfered as the payload of this put-request.
I didn't expect, that it's so difficult to tell the ASM not using several Attack-Signatures on a payload for a specific url.

1
Comments on this Answer
Comment made 23-Jan-2018 by MSZ 472

Try to disable signature on URL level if you are using v13.0 and above.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

One option is to disable the specific attack signature on the specific parameter in question. You can review the ASM logs (Event Logs > Application > Requests) to find the specific block and then click the "learn" button listed beside the "Attack Signature Detected" link. This will take you to a screen that shows the specific parameter in question and will prompt you to create the parameter and disable that specific attack signature. If the issue at hand is simply one parameter getting caught by one specific attack signature, this should solve the problem. If it's more than this, let me know and I can try to help with other solutions.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yes, that's a possible way. But this would deactivate this signature for the entire policy. The URL is the endpoint of an application and i couldn't manage to get "/file" to work as a Parameter. The ASM don't recognise any Parameter i have tried, although the Option "Handle Path Parameters" is set to "as Parameters". Even a Wildcard-Paramter for "/secure/customerarea/upload/*" with the Parametersetting "ignore value" didn't solve my Problem.

Deactivating the Attack Signature for "path traversal" won't be a good idea, i think.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Andreas, Have you got a wildcard parameter set? If so you could set Tightening too so the ASM log should pick out the Parameter it caught this on and then you could disable accordingly. Hope this Helps, N

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I agree...you could set a wildcard parameter and then view the request logs to see the exact parameter being blocked. Then, you could click the "Learn" button next to the specific attack signature being tripped, and the ASM will automatically add the parameter and disable the attack signature for that specific parameter only.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Update. One of our Webdeveloper forced our application to transfer all file Uploads in a base64-coding. This solved my problem, cause base64-content don't have the text-part that match the attack-signatures.
The size of the upload increased with this solution, but it's better to wait some time while transfering instead of no Transfer at all.

F5-Support couldn't solve this issue in a different way as the ones we already discussed.

0
Comments on this Answer
Comment made 02-Dec-2013 by John Wagnon
Thanks for the update Andreas. I'll keep this issue in mind and I'll let you know if I find another suitable solution for you.
0
Comment made 3 months ago by schusb 64

We're facing the same problem. Are there any known solutions so far?

BIG-IP 13.1.0.6 Build 0.0.3 Point Release 6

I could think of setting a Header-Based Content Profile, where we use a "Request Body Handling" of "Do nothing" for the Content-Types of "application/octet-stream" and "application/pdf"

Whith this solution in place, is there only the binary file excluded from ASM- inspection?

0