Bug ID 436924: Extra normalization clearance of high ASCII can cause false positive attack signatures

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11

Fixed In:
11.6.0, 11.5.2, 11.5.0 HF1, 11.4.1 HF6, 11.2.1 HF11

Opened: Nov 07, 2013

Severity: 3-Major

Symptoms

False positive attack signatures (e.g 200002271) are triggered on an x-www-form-urlencoded POST request containing a string (which is, actually, Shift-JIS characters represented as %-encoded bytes).

Impact

False positive attack signatures (e.g. Signature ID 200002271 looks to be erroneously detected)

Conditions

Sending high ASCII characters to non-English encoding policy.

Workaround

N/A

Fix Information

We added the internal parameter "dont_norm_high_ascii". If the value is set to 0 (the default value), the system removes high ASCII bytes as part of the normalization process. If the value is set to 1, the system leaves and does not remove high ASCII bytes. Consider setting this parameter to 1 if your web application uses non-English encoding where high ASCII bytes are legal. Removing these bytes may lead to false positive detection of attack signatures when the remaining bytes exactly compose an attack signature.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips