Forum Discussion

Thierry's avatar
Thierry
Icon for Nimbostratus rankNimbostratus
Aug 03, 2020

ASM best practice to allow \\ in new sec-ch-ua header

Hello,

 

Recently some of our developers have upgraded to msedge dev then beta, and these browsers (and maybe more chromium based browsers in dev/beta mode) are adding a specific Brand in the sec-ch-ua header, like this :

sec-ch-ua: "Chromium";v="85", "\\Not;A\"Brand";v="99", "Microsoft Edge";v="85"

 

The F5 ASM we use here (we use V11 and V13, but this problem appeared for now on our V11 boxes), does block these request as it matches the "IIS Backslash" vulnerability.

 

What does F5 recommend in this situation ? We had 2 choices (but maybe there's a 3rd one that's better and we didn't think about it), and we went for the 2nd one :

1st one : disable blocking on IIS Backslashes vulnerability

2nd one (current workaround) : disable all checks on the header itself.

 

Does F5 have a specific recommendation for this situation ?

 

Thanks in advance,

Regards,

Thierry