ASM: Change the POST data parameter delimiter

Question

Hi Folks,&nbsp;currently I'm trying to create a security policy for the famous open source ticketsystem OTRS. Due to the behavior of OTRS I'm stuck with parameter handling. If an agent is sending a response to the customer, the POST request is send in a format like this:&nbsp;POST /otrs/index.pl? HTTP/1.1
Host: otrs.example.com
[...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 
[...]

TicketID=12345;[...]Subject=;Body=instead of&nbsp;POST /otrs/index.pl? HTTP/1.1
Host: otrs.example.com
[...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 
[...]

TicketID=12345&amp;[...]Subject=&amp;Body=So as the delimiter used to separate single parameters is a semicolon, instead of ampersand, the ASM does not recognize all single parameters. The only parameter seen is the first one listed (here: "TicketID"). Only when a content type of "multipart/form-data" is used, the ASM can identify all the parameters. Typically I'm disabling violations, i.e. Attack Signatures, based on a tupel of parameter/URL. But as the ASM cannot identify the single parameters in the request the only chance is to disable a violation globally or for the first parameter listed (in the example above "TicketID"). This doesn't make sense for the policy, because it's very usual that there is content sent in emails, which will trigger Attack Signature Violations, for example SQL Code, HTML/Javascript or Linux Bash commands. Therefore it makes sense to disable those Attack Signatures only on single parameters, like "Body".&nbsp;Has anybody an idea how to handle this? Is there a chance to make ASM also use a semicolon as a parameter delimiter in POST requests? It would be necessary to let the ASM check for ampersand and semicolon, as not all POST requests are sent with a semicolon.&nbsp;I thought about an iRule, which would replace all semicolons in a POST request body on the client side to ampersands, if several conditions are matching (especially "[HTTP::header Content-Type] starts_with 'application/x-www-form-urlencoded'"), and then, on the server side, replace them back to semicolons. But I fear that this may be very resource intensive.&nbsp;I appreciate any ideas to resolve this issue.&nbsp;Thanks in advance.&nbsp;Greets, svs&nbsp;

nathe · Answer

svs,&nbsp;
According to this solution  you're out of luck. I checked Advanced Configuration too and no joy. This solution doesn't have v12 listed as "Applies to" so i wonder if this behaviour has changed in v12, else the solution hasn't been updated.&nbsp;
If not then i'd probably raise a case with F5 or an RFE. Others may have requested this so the more visibility the better.&nbsp;
N&nbsp;

macrek · Answer

Hi,&nbsp;Did you found the solution how to achieve this ? After 3 years, I have same issue. Maybe in current versions should be any option, to change x-www-form-urlencoded params delimiter.&nbsp;thanks

Forum Discussion

ASM: Change the POST data parameter delimiter

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Getting Started with iRules: Delimiters

Brute Force protection for single parameter like OTP

Wildcard Parameter signature attack

Change admin account

HTTP auth - Calling external API with parameters