Forum Discussion

F5Team's avatar
F5Team
Icon for Cirrus rankCirrus
May 31, 2023

ASM - Disable violation for a specific URI

Below is the violation detected for a certain URI. We are looking to disable only for this specific URI

Evasion technique detected [1]
Detected Evasion Technique Bad unescape

Parameter Value
"1.0"?<UserName>xxxxxxx</UserName><UserPassword>Hello123%</UserPassword><CurrentDateTime>2023-05-29</CurrentDateTime><UserType>U

ssword>Hello123%</UserPassword><

(Password contains the character '%')

1. Would the following iRule help? Can we also include character of the parameter value to the iRule to be more specific (ASM::violation details, parameter_data.value)

when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "Evasion technique detected" and [string tolower [HTTP::uri]] contains "URI"}
{
ASM::unblock
log local0. "ASM unblocking [HTTP::uri]"
}
}

2. Would adding a return carriage or a space to the html code before the </UserPassword> work?

security

2 Replies

Sort By
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    May 31, 2023

    Hi F5Team , 

    you can use irule like you wrote above also see these Article about 1-ASM irules , 2- how to get the correct name of the violation to specifiy it in the iRule: 
     > https://my.f5.com/manage/s/article/K15573541
     > https://my.f5.com/manage/s/article/K37744422

    But what if another violation under ( Evasion Technique Detection ) other than Badunescape one. 

    I would recommend to adjust the system variable attribute "ecard_max_http_req_uri_len" to higher value but you need to do that in a maintenance window because you need to restard asm deamon service for the changes to take effect , to do that please refer to this article : 
    https://my.f5.com/manage/s/article/K000092642
    you will find within it another article with the steps.

    I hope that helps you 

  • F5Team's avatar
    F5Team
    Icon for Cirrus rankCirrus
    Jun 05, 2023

    Thanks
    We've used another option "Security Policy Microservices", which can be applied to more specific traffic.

    This unblocked 'Bad unescape' only for that specific URI.

    1) Go to Security  ››  Application Security : Security Policies : Policies List  ››  Policy name 

    2) Select Microservices --> Create --> as shown in the screenshot.