Bug ID 430450: Add option to enforce user input parameters after first decoding round

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:

Fixed In:

Opened: Sep 12, 2013

Severity: 3-Major


You occasionally see false positives because the ASM performs a second URL decoding of the parameter value- %25 is decoded to % in the first round of processing, the resulting % is utilized in the second round.


Occasional false positives occur.


-- The policy has some parameters configured with regular expression checks that allow characters frequently allowed in passwords, including alphanumeric characters and many special characters- notably the percent sign (%). -- When a client sends a parameter with a properly URL-encoded percent sign followed by some digits


This issue has no workaround at this time.

Fix Information

The system now enforces user input parameters after the first decoding round.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips