Forum Discussion

Aurel's avatar
Aurel
Icon for Cirrus rankCirrus
Jun 26, 2019

Unparsable request content - which security tradeoff ?

Hello all,

 

I am facing a violation for URL length exceeding the default ASM (2048) value.

Options to deal with this seems to be :

  • increasing the whole system variable value of 2048
  • Disable the HTTP compliance check "Unparsable request content" that implies removal of several others HTTP checks for the whole policy.
  • Disabling ASM for the specified URI

 

What do you think that would be the best security tradeoff ?

Having no ASM at all for an URI, or releasing some HTTP checks on the whole policy ? or increasing default system value and then increasing ASM load.

 

thanks a lot for any thought

 

application delivery
ASM Advanced WAF
BIG-IP
security

4 Replies

Sort By
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Feb 01, 2024

    Hi Aurel and santoshmashetti  , 

    The best security tradeoff is to define this URI(s) in ASM Microservices and disable HTTP compliance check under this URI only. 

    Look at here for more details :

    https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/working-with-bigip-security-policy-microservices.html


    doing this narrow the attack service for your device and provide an optimal tradeoff for your policy. 
    But make sure this length is valid in the violation is a false positive.

     

    Thanks

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jun 27, 2019

    There could be a third option,i.e. fix the application and make it use the POST method.

    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus
      Jun 27, 2019

      Hi JG, Absolutely. I talked to the app team before, and this behaviour would be consequence of mini applications inside the application page. I will make them aware of the security issue that this implies.

       

      • santoshmashetti's avatar
        santoshmashetti
        Icon for Nimbostratus rankNimbostratus
        Feb 01, 2024

        Hi Aurel,JG

        This is Santosh.

        I am new to F5, I am also facing the same issue. I can ask the application team to make it as a post method. But my question is in details of this violation it is showing "URL length: 3610 exceeded maximum limit of: 3096". I am bit curious how this 3610 is been calculated. I tried to match this 3610 with the request URI but is no where matching. actually there is very big query string content which is more number of bytes than 3096. Can you help me to understand how it will be calculated.

         

        Thanks in advance,
        Santosh. M