Bug ID 1100393: Multiple Referer header raise false positive evasion violation

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.0, 16.1.4

Opened: Apr 19, 2022

Severity: 3-Major

Symptoms

When Multiple Referer headers contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.

Impact

False positive evasion technique violation is raised for Referer header.

Conditions

- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled. - Multiple Referer header contains a backslash character ('\') in query string part.

Workaround

In the HTTP Header Properties screen, turn off the 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property.

Fix Information

Fixed Multiple Referer header handling before URL Normalization.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips