Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Oct 07, 2009

Multiple Decodings

I have an application that is showing a lot of violations for Multiple Decoding. From I am seeing it looks like I can increase the value to 2 to 3, and that should help my problem but not necessarily increase my risk. My understanding is that ASM will still decode the content as many times as necessary to get to the ASCII value and protection will still be provided at that level. I wanted to get some other opinions though how does everyone else manage this setting, do you turn it on at all?
APM
app sec
security

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 07, 2009
    Is the value triggering the violation encoded more than two times? I've seen one or two bugs with this functionality in 9.4.x.

     

     

    In general, I think ASM decodes the exact number of times configured. If there are still percent encoded values a violation is triggered. I don't think there is any significant performance hit if you set it for 3 decodings and the clients only send double encoded values. I'd expect ASM wouldn't decode the parameters if there wasn't anything to decode.

     

     

    In our customer's policies, I always try to enable this check.

     

     

    Aaron
  • Javier_Checa_41's avatar
    Javier_Checa_41
    Icon for Nimbostratus rankNimbostratus
    Oct 12, 2009
    I always try to keep it in two decodings, but sometimes I've had to set it to 3 (when not in the mood to teach lazy programmers how they have to do their job).

     

    Javi

     

    Edit: no performance impact at all.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2009
    There are valid cases where the parameter values might be URL encoded more than two times. One example is XML element values in parameter values.

     

     

    Aaron