Forum Discussion
Can you explain little bit more on this
"If you find this more concerning than globally allowing null bytes, then disabling the "null in request" violation would be the way to go."
I can't give you a clear right or wrong answer on this.
When you disable the "null in request" violation, it will be disabled for the entire policy. If your application is vulnerable to null byte attacks anywhere, then you lost a relevant protection for that. Likely not the only protection, as one of the other violations may be able to catch it. So is this an acceptable risk? Probably yes, but I can't make that call without knowing your application and your security requirements or general policy setup.
If you set the parameter to type File Upload, this will only affect this specific parameter and not the rest of your policy. But if your application happens to be vulnerable to any kind of injection attack exactly on that parameter, then ASM would likely not be able to prevent it anymore (unless you run v14 and have attack signatures enabled on the parameter). Again, if this is likely, or if the risk is acceptable, is something you alone can decide.