Forum Discussion

Alex_f5's avatar
Alex_f5
Icon for Altostratus rankAltostratus
Oct 17, 2018

ASM allowed URLs with header based content

hello community, I would like to get clear my ideas about the allowed urls in the ASM ... I do have an ASM policy which is still in staging but I have found some violations in JSON posts that are false positive and I want to stop them;

 

this is the content of the HTTP request that I want to allow:

 

So, I have created an allowed URL with a header based content profile to allow it and stop receiving illegal requests for this reason... this is the content of the allowed url:

 

 

but I am not sure if this config. will help me since I already see an HTTP wildcard in this policy (it's there by default and has no header content profiles there except the default one)

 

 

The suggestions made by the ASM does not help me, I would like to go in the option to permit this posts when the system finds the /web/dataset/* path in the URL ... and stop receiving violations when posts like this happen. Am I following the correct approach to resolve this problem?

 

thanks a lot. Alex.

 

ASM Advanced WAF
security

4 Replies

Sort By
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Oct 19, 2018

    Hi,

     

    Just to comment, you intent to mitigate violations into url that starts with "/web/dataset/", right? Considering that all violation are disabled/mitigated on JSON profile, I may suggest you only to change the "Content-Type" value to "*json*". I can't see when JSON objects will be posted without a "json" declared content type. In case it is possible, it should go to the global wildcard treatment while you don't set all possibilities on your url object header-based conditions.

     

    Just to remember, wildcards are processed from more specific to less specific. You could check/set this on menu "Security > Application Security > URL > Wildcards Order"

     

    Anyway, it could be my approach.

     

    Regards.

     

  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Oct 19, 2018

    Alex,

     

    What is the violation that is triggered by the request?

     

  • Alex_f5's avatar
    Alex_f5
    Icon for Altostratus rankAltostratus
    Oct 21, 2018

    Hello Scott, the violation found are:

     

    • Evasion technique detected
    • Failed to convert character
    • HTTP protocol compliance failed

    But is my my understanding that if we just allow the URL and we add a header based content profile that matches a specific value in the http header then the ASM will not generate a log even if other violations are found, am I wrong?, thank you !

     

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Oct 21, 2018

    Alex,

     

    but I am not sure if this config. will help me since I already see an HTTP wildcard in this policy

     

    An Explicit URL will always match before a wildcard URL, so /web/dataset/ will match in preference to the global wildcard.

     

    would like to go in the option to permit this posts when the system finds the /web/dataset/* path in the URL ... and stop receiving violations when posts like this happen.

     

    Creating an Explicit URL gives you the opportunity to tune the content profile, signature and metacharacter checks applied to that URL - it does not create a blanket pass for the URL.

     

    Applying the correct content profile will make a big difference. However, it may not address issues such as HTTP protocol compliance failed, which are checks that are applied before URL-specific inspection.

     

    If you need to completely bypass ASM policy inspection for a URL or apply a much less strict ASM Policy to those URLs, then you need to create a specific Local Traffic Policy to be applied to the virtual that that controls which ASM policy is applied for various URLs.

     

    K22021244: Bypassing the BIG-IP ASM system (12.1.0 and later)