Application firewalling quandary

Question

This problem is not strictly limited to ASM, but is a more general question:&nbsp;
&nbsp;I am seeing lots of end users type things that throw an exception on the ASM (it's not in blocking mode so I'm just working through these things), for example a user hits the shift key when typing a postcode so instead of typing FT3 5AC they type FT3 percentage signAC, or they forget to shift when typing an email address and we get test'test.com, I've even had someone type -- into a date field. &nbsp;
&nbsp;So my quandary is this: I can disable these exceptions and allow the application to deal with these typos, which it does much more gracefully than the ASM can, but I have to be sure the app does it's validation correctly so that, if I allow these characters through, the app is not going to be compromised. Or I allow ASM to block these typos and potentially confuse the end user (there seems to be no way for the ASM to do anything graceful here in prompting the user as to what they have done wrong). I obviously want to block the bad guys, but I want to keep the customer who has made a typo without significantly weakening the ASM policy. How do you guys deal with situations like this?&nbsp;

hooleylist · Answer

Hi Ian, 
&nbsp;  
&nbsp; The perfect scenario is if the app uses clientside Javascript to "ask" the user to not enter invalid characters, ASM is blocking with a tight configuration and the app does proper validation of the user input.  Then you can keep ASM blocking these types of violations and still give the user a good experience.  If you know the app handles validation for these fields successfully, you could relax the ASM charset either for specific parameter values or for all parameter values.  If the app doesn't do proper sanitisation of user input, I'd say it's better to block errant user-input and protect the app. 
&nbsp;  
&nbsp; I've heard preliminary discussions of the ability to strip meta-characters from specific parameter values.  You might consider talking with your account manager to put in a request for this type of functionality. 
&nbsp;  
&nbsp; Aaron

imac_105647 · Answer

Hi Aaron,&nbsp;
&nbsp;Thanks for that. I'll discuss with our webteam whether the javascript is a potential solution. I suspect that they will be reluctant (I think they are big on accessibility for our sites and javascript tends to cause problems there I believe).&nbsp;
&nbsp;Ian&nbsp;

Forum Discussion

Application firewalling quandary

2 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

F5 Distributed Cloud WAAP - Introducing the Distributed Cloud Web Application Firewall

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

How to integrate Web Application and API Protection service with Palo Alto Firewalls in AWS

Getting Started with BIG-IP Next: Migrating an Application Workload

Lightboard Lessons: What is a Web Application Firewall (WAF)?