Bug ID 430450: Add option to enforce user input parameters after first decoding round

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
10.2.4

Fixed In:
11.5.0

Opened: Sep 12, 2013

Severity: 3-Major

Symptoms

You occasionally see false positives because the ASM performs a second URL decoding of the parameter value- %25 is decoded to % in the first round of processing, the resulting % is utilized in the second round.

Impact

Occasional false positives occur.

Conditions

-- The policy has some parameters configured with regular expression checks that allow characters frequently allowed in passwords, including alphanumeric characters and many special characters- notably the percent sign (%). -- When a client sends a parameter with a properly URL-encoded percent sign followed by some digits

Workaround

This issue has no workaround at this time.

Fix Information

The system now enforces user input parameters after the first decoding round.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips