Forum Discussion

Emil_T's avatar
Emil_T
Icon for Altostratus rankAltostratus
Aug 11, 2024

Leading tab in header name: Authorization

I have a violation / suggestion a detection of Leading tab in header named: "Authorization"

When I look at the request, I don't see the "TAB" in the header name. I expect to see something like this:

"    Authorization"

But, what I see is header named "Authorization"

I'm wondering whether the meaning here is header context or is there something else I'm missing.

 

Here is the request and F5 log:

BIG-IP Application Security Manager
Security Events Report
Exported on: 2024-08-11 16:40:22 | Exported by: 
Hostname: F5-AWAF | IP Address: 
Support ID: 5162895
Request Details
Requested URL [HTTPS] /ag/logout
Time     2024-08-11 15:46:57
Enforcement Action      Block
Enforced By      Application Security Policy
Violation Rating 1  Request is most likely a false positive
Attack Types     Detection Evasion
Geolocation      
Source IP Address   9.5.8.6.:53483
Device ID          N/A
Username         N/A
Session ID         ad8a5466e66666b6
Source IP Intelligence    N/A
Security Policy   /Common/SWAF
Virtual Server    /Common/s
Request Status  
Blocked
Blocking Exception Reason        N/A
Accept Status    Not Accepted
Host     s.co
Destination IP Address   16.16.16.6:443
Response Status Code   N/A
Protocol Info     HTTP/1.1
Severity            Error
Signatures CVEs N/A
Detected Violations
Attack signature detected [1]
Request
Request actual size: 1337 bytes.
GET /Ag/logout HTTP/1.1
Host: s.co.
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate
sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Pragma: no-cache
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
Authorization: ************************************************************************************************************************************************************************************************
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
If-Modified-Since: 0
Expires: 0
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://s.co/Ag/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,en-US;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.1.6666663693.6666667143; SL_C_23361dd035530_SID={"666666":{"sessionId":"6666-T6666666","visitorId":"666666HGfeRq"}}; _ga_QX6666666=GS1.1.6666661357.0.0; TS014666666
X-Forwarded-For: 6.6.6.6

Response
No response details are available because request was blocked
Violation Details
Attack signature detected [1]
Detected Keyword         
**** (sensitive data masked)
Attack Signature            ID
200018064

Name
Leading tab in header name

Context Header
Header Name   Authorization
Header Value    *****
Applied Blocking Settings           Block Alarm Learn
Violation Description
Description
The system examines the HTTP message for known attacks by matching it against known attack patterns.

Severity
Error

authorization header
leading tab