Here the Block.As you can see is "%" is detected without encoding meaning.This is normal since the "%" is in the Body of the post as JSON data (see below)Of course if I disable the "Bad unescape" in " Learning and Blocking Settings" it works, but my Goal is to bypass using rule on parameter or similar, till now without success.Does anyone have a solution ? ======= JSON on POST Dody Request =======================

Hi, Have a look here, it's how to solve it using AWAF Microservices : False Positive Bad Unescape BIG-IP ASM | DevCentral Or you can add a JSON content profile : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html check the impacted URL >> create it explicitly >> enable meta characters.

Really appreciate the answer, thank you very much ...I still have problem to understand how it work, here what I, Created a "URLs : Allowed URLs : Allowed HTTP URLs" for POST request and on Meta Character I Disallowed the "%" . Now the request is not anymore blocket in term of "Bad unescape" but is allowed, and this is fine, but it looks that Meta Character control that is configure to block "%" (for test purpose) is not working. Where I'm wrong, I thougth that we where able to control Json Body Characters in this way .. isn't ?

Hi, By disallowing it like that, the request should be blocked if it contains "%" so you need to allow it, if it's false positive

Yes my need to permit "%" in bodyis now ok, but ...As you can see isn't blocked (server send back answer), even if in Meta Character is selected as "Disallow", I'm expecting a Block page, my doubt is that maybe we have to work with parameters

Hi, Make sure you enforce the newly created URI with POST method and disallowed %.and make sure you enable this: also the policy in blocking mode

Bypass "Bad unescape" in Body POST (ASM, POST, JSON)

Mohamed_Ahmed_Kansoh
MVP
Sep 13, 2024
Hi,
Have a look here, it's how to solve it using AWAF Microservices :
False Positive Bad Unescape BIG-IP ASM | DevCentral

Or

you can add a JSON content profile : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html

check the impacted URL >> create it explicitly >> enable meta characters.
helenio
Nimbostratus
Sep 16, 2024
Really appreciate the answer, thank you very much ...
I still have problem to understand how it work, here what I, Created a "URLs : Allowed URLs : Allowed HTTP URLs" for POST request and on Meta Character I Disallowed the "%" .

Now the request is not anymore blocket in term of "Bad unescape" but is allowed, and this is fine, but it looks that Meta Character control that is configure to block "%" (for test purpose) is not working.

Where I'm wrong, I thougth that we where able to control Json Body Characters in this way .. isn't ?
- Mohamed_Ahmed_Kansoh
  MVP
  Sep 16, 2024
  Hi,
  
  By disallowing it like that, the request should be blocked if it contains "%" so you need to allow it, if it's false positive
- helenio
  Nimbostratus
  Sep 16, 2024
  Yes my need to permit "%" in bodyis now ok, but ...
  As you can see isn't blocked (server send back answer), even if in Meta Character is selected as "Disallow", I'm expecting a Block page, my doubt is that maybe we have to work with parameters
  - Mohamed_Ahmed_Kansoh
    MVP
    Sep 16, 2024
    Hi,
    
    Make sure you enforce the newly created URI with POST method and disallowed %.
    
    and make sure you enable this:
    
    also the policy in blocking mode
zamroni777
Nacreous
Sep 16, 2024
"%" is opening tag for for asp and aspx server side scripts (dotnet)
https://asp.net-tutorials.com/basics/hello-world/
if your app server is not using asp/asp.net,
ensure that asp* is not listed in the asm profile's server technology

Forum Discussion

Bypass "Bad unescape" in Body POST (ASM, POST, JSON)

Recent Discussions

COMPRAR DINERO FALSO TELEGRAM @CANNAUNION35

ACQUISTA SOLDI CONTRAFFATTI TELEGRAM @CANNAUNION35

COMPRAR BILLETES FALSOS TELEGRAM @CANNAUNION35

201 Recommendations for Study

GTM pool is OFFLINE even if pool members are UNKNOWN

Related Content

Bypass certificate check

Bypass WAF for X-forwarder IP in XC

MSM Bypass

Bypassing ASM on HTTP response

Implementing SSL Orchestrator - Decryption Bypass by Category