ASM disallowed url %

Question

All,&nbsp;Running into an issue with disallowed url on ASM. We needed to block the ecp in owa like so https://owa.host.com/ecp, this works as expected just by adding /ecp in the disallowed list. If you use trustwave or another filter that changes the url to the below example, you bypass the /ecp block,&nbsp;https://owa.host.com/owa/auth/logon.aspx?replaceCurrent=1&amp;url=https%3a%2f%2fowa.host.com%2fecp%2f&nbsp;I need to be able to block this request as well but unable to figure out how to have ASM detect the %2fecp%2f. &nbsp;Any thoughts?

drj · Answer

Have you verified that the evasion techniques are set correctly? I'm not able to check at the moment, but this may also depend on your parameter settings/require an explicit parameter check?

https://support.f5.com/csp/article/K7929

ivan_chernenkii · Answer

Is request logged with /ecp URL in second case?

As I see, in second case you send /ecp URL in query string parameter, that is why disallowed URL doesn't have affect on it.

To block all requests with /ecp in URL or in query string you can create attack signature like uricontent:"/ecp"; nocase;

dave_pisarek · Answer

I just created a customer signature for the specific ecp pattern.

Forum Discussion

ASM disallowed url %

3 Replies

Recent Discussions

About custome Response Blocking Page

Office Online Server with SharePoint 2016

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

Related Content

ASM - Adding Allowed URL's via CLI in 2023

ASM logs

ASM Local Traffic Policy to redirect on specific URL

URL Shortener

URL redirection irule