post body data parameters-f5 asm

Question

Hi&nbsp;
was deploying f5 asm for oracle erp application.In one of the url, i see below :-&nbsp;
/OA_HTML/RF.jsp -&gt; &nbsp;
POST /OA_HTML/RF.jsp?function_id=ATTACHREST&amp;security_group_id=0&amp;isReadOnlyCustomPopup=Y HTTP/1.1
Accept: /
OAFunc: FND_DIALOG_PAGE
Content-Type: application/xml
Referer: ..
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: xxxxx
Content-Length: 374
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: oracle.uix=0^^GMT+3:00^p; BIGipServerAstad_EBS_New_Production.app~Astad_EBS_New_Production_pool=285673482.18975.0000; treemenu1=none open; TS0138831c=01a978a1118e5f142c8bdedb210759f1efd1cbb0e7858f7defc2b66744ee059917758af593252e6894b3d7d77ccecbdf6b0b1d8714d82627e6751b69c4203d9c2a3a03ebce; JSESSIONID=sKBjhfTGJx2vgPgChKLf0NRg4QS6MKD1nzrbn2vTRB6sFZHstT59!-1288392341; SEN=PxNOVkXYr6XhV5sczV6xUMxBEs; TS01e2cc2e=01a978a11159660c4ab4659f98b13ba4e89cb6d882858f7defc2b66744ee059917758af5936cc77f9eb059c70455c2863c6aecfab53595c2cdd64bf1594b170cc87d60a700
X-Forwarded-For: yyyy&nbsp;
 oracle.apps.ap.invoice.request.negotiation.server.NegotiationAMgetListOfFilesAttachment::Attach_0_::ATTACH_/oracle/apps/ap/invoice/request/negotiation/webui/InvPoReqNegoPG.Attachment::yy.xx::516040::true::true::true::true::ATTACHMENT_LINK_06N&nbsp;
F5 asm detects the whole  as a parameter and detects the param tag vulnerability.I am cross checking with the application as well. But there are many param tag in the several other post body data. How do i add exception for this and other  tag for this url , and remove this attack signature from blocking ? the param fields differ for other sessions and other tabs. but i believe the url is the same , do you think i add a wildcard parameter for this url and remove the attack signature inspection for that ?&nbsp;
&nbsp;

kolom · Answer

Hello draco, can you post a snapshot for the same from the event log. &nbsp;

draco · Answer

Hi Kolom&nbsp;
here&nbsp;

kolom · Answer

Hi draco,&nbsp;
This attack signature is currently in Staging , it means that ASM will never block a request matching this signature ID until you enforce it out of staging . so you can keep it this way if it's causing a lot of false positives to your application.or you can enforce it globally , and disable this signature ID in URL level .&nbsp;

draco · Answer

Yea i know its not in blocking..havent put it yet..need to finetune.. Am getting a lot of false positives with regard to this...am not sure of doing an exception.globally...wanted to know if there is a way to do for this particular url entry..wanted to know if f5 detecting the entire post body data as a parameter is correct or not..if not..how do i rectify it and make f5 look into the params field resplist and homepage ?

kolom · Answer

you will not have control over how F5 will parse the content of a specific request. if this behavior is under specific URL , you can disable it under this URL by defining this URL in the allowed URL list , define a wildcard parameter , and disable the mentioned Signature ID for such parameter . if not , keep it disabled globally , or you can use an iRule to unblock a request being blocked as it matches this specific signature ID.

Forum Discussion

post body data parameters-f5 asm

8 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Rewrite the post operation with a body.

HTTP POST redirect preserving POST data

Post-Breach Analysis: Sophistication and Visibility

F5 ASM/AWAF Remote File Inclusion signatures do not block http:// or https:// in the form parameter

Large payload post requests aren't responding