Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
10.2.4
Fixed In:
11.5.0
Opened: Sep 12, 2013 Severity: 3-Major
You occasionally see false positives because the ASM performs a second URL decoding of the parameter value- %25 is decoded to % in the first round of processing, the resulting % is utilized in the second round.
Occasional false positives occur.
-- The policy has some parameters configured with regular expression checks that allow characters frequently allowed in passwords, including alphanumeric characters and many special characters- notably the percent sign (%). -- When a client sends a parameter with a properly URL-encoded percent sign followed by some digits
This issue has no workaround at this time.
The system now enforces user input parameters after the first decoding round.