Last Modified: Nov 22, 2021
Known Affected Versions:
Opened: Sep 12, 2013 Severity: 3-Major
You occasionally see false positives because the ASM performs a second URL decoding of the parameter value- %25 is decoded to % in the first round of processing, the resulting % is utilized in the second round.
Occasional false positives occur.
-- The policy has some parameters configured with regular expression checks that allow characters frequently allowed in passwords, including alphanumeric characters and many special characters- notably the percent sign (%). -- When a client sends a parameter with a properly URL-encoded percent sign followed by some digits
This issue has no workaround at this time.
The system now enforces user input parameters after the first decoding round.