Legitimate Traffic is Blocked at ASM Policy

Question

Certain good traffic is blocked at ASM Policy. From the event Log i see as HTTP protocol compliance failed , due to HTTP Validation tagged with " Null in request" .

HTTP POST shows %00 ( Bold Below ) about which it is mentioned here in this KB https://support.f5.com/csp/article/K7931.

f=json&checksum=%EF%BF%BD%1D%EF%BF%BD%D9%8F%00%EF%BF%BD%04%EF%BF%BD%09%EF%BF%BD%EF%BF%BD%EF%BF%BDB%7E&parts=1

In K7931 it shows 3 ways how to prevent this but can some one help out of 3 ways which one I should use and why to prevent this Null in Request message ?

Attached Event Log message.

gersbah · Answer

This is a feature of version 14 and later. See https://support.f5.com/csp/article/K79544554

"Note: Prior to BIG-IP ASM 14.0.0, you can configure attack signatures for parameters of Alpha-Numeric data type. Starting in BIG-IP ASM 14.0.0, you can configure attack signatures for parameters of File Upload data type, in addition to parameters of Alpha-Numeric data type."

gersbah · Answer

Why: https://www.owasp.org/index.php/Embedding_Null_Code

How: Unless this is a very common occurence in your application in many different places, I would limit the exception to where it's actually needed. So that would be option 1 from the KB you linked. Create the parameter "checksum" and set it to type "File Upload".

subrun · Answer

Appreciate your help..&nbsp;I am just trying to understand how we will prevent null in request Blocking while setting parameter "checksum" and set it to type "File Upload".  I mean i am looking for a more technical explanation for this. &nbsp;Also another concern is by doing this ( with option 1 )  is that a risk I am accepting for SQL Injection type of attack  ?

gersbah · Answer

Setting the parameter type "File Upload" limits the range of checks that are performed on the parameter value. The primary usage is obviously file uploads, because for example a PDF file or Excel sheet is pretty much a binary blob with some text sprinkled in between and applying meta character checks to see if it includes a quote, a dollar sign, a null byte or some nonprintable character somewhere doesn't make a lot of sense.

In version 14 (maybe also 13?) you can select to still check attack signatures on File Upload parameters - which for real file uploads may not be very useful, but for your scenario should be a good idea. (note: never tested if this actually works)

Setting the checksum parameter to file upload will open you up to some risk of attacks specifically on that parameter, because checks on the parameter will be limited.

If you find this more concerning than globally allowing null bytes, then disabling the "null in request" violation would be the way to go.

There may be another option that is not mentioned in the KB: An iRule to selectively unblock the request if this violation occurs specifically on that parameter. But that would require some engineering and I don't know if it even actually works.

subrun · Answer

I see that for "File Upload" Option there is no Attack Signature Option I can select. Images attached.&nbsp;&nbsp;

Forum Discussion

Legitimate Traffic is Blocked at ASM Policy

9 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Block traffic

Separating False Positives from Legitimate Violations

ASM flagging legitimate traffic as "most likely a threat"

fellow traffic

domain blocking