Bug ID 430450: Add option to enforce user input parameters after first decoding round

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
10.2.4

Fixed In:
11.5.0

Opened: Sep 12, 2013
Severity: 3-Major

Symptoms

You occasionally see false positives because the ASM performs a second URL decoding of the parameter value- %25 is decoded to % in the first round of processing, the resulting % is utilized in the second round.

Impact

Occasional false positives occur.

Conditions

-- The policy has some parameters configured with regular expression checks that allow characters frequently allowed in passwords, including alphanumeric characters and many special characters- notably the percent sign (%). -- When a client sends a parameter with a properly URL-encoded percent sign followed by some digits

Workaround

This issue has no workaround at this time.

Fix Information

The system now enforces user input parameters after the first decoding round.

Behavior Change