Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

ASM : Multipart/form-data parameter value violation

Hello, After spending some time reading and searching, i can't find complete information to understand my blocking. ASM has blocked multipart/form-data content from a POST request. First is SQL injection 200002305 (sig ID) for content that looks like JSON. I will set a JSON profile for this and see. But others violations (that i am looking for explanation) doesn't look JSON but more javascript code. Detected keywords are 'javacript' and 'href', and also 'id' (execution attempt violation).

My first question : ASM interpret as parameter the following pattern (control name) "app_generated_name", is it correct behaviour ? Content-Disposition: form-data; name="_app_generated_name"

Second question : ASM founds javacscript code content inside those "parameter" value, how is that sounds to you ? It seems to be the application design, so i am afraid i will have to create exception for that.

thanks a lot for any experience sharing on this

Rate this Question

Answers to this Question

  1. If you have: Content-Disposition: form-data; name="_app_generated_name" then yes "_app_generated_name" is a parameter and is being correctly recognised

  2. If POST parameter value contains bits of JavaScript ASM will of course block it as this looks like a code injection attack. There might be some legit reason for it, if this is how your application works (for example if it is a CMS/Content Management System then users with editor privileges can upload content, however regular users/visitors of the website must not be able to do that, otherwise hackers can upload any code they want and hack into the website.

Comments on this Answer
Comment made 1 month ago by Aurel 176

Thanks a lot Samstep for very clear answer.

It is exactly a CMS where users with priviledges are uploading content.

I am wondering if ASM could allow JS content on relevant parameters for users with priviledges only, and then keep regular users not allowed to. Maybe using flow level parameter with login pages or iRules..

Comment made 1 month ago by samstep 1854

if you enable the Session Tracking and configure Login Page URLs it will be possible to see which user is uploading the content and the flow can also be used to enforce this. If your trusted users (content editors) come in from the trusted network (e.g. via a corporate proxy server) you can additionally whitelist that IP address so it does not block requests from trusted users