Bug ID 436924: Extra normalization clearance of high ASCII can cause false positive attack signatures

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10

Fixed In:
11.6.0, 11.5.2, 11.5.0 HF1, 11.4.1 HF6, 11.2.1 HF11

Opened: Nov 07, 2013
Severity: 3-Major

Symptoms

False positive attack signatures (e.g 200002271) are triggered on an x-www-form-urlencoded POST request containing a string (which is, actually, Shift-JIS characters represented as %-encoded bytes).

Impact

False positive attack signatures (e.g. Signature ID 200002271 looks to be erroneously detected)

Conditions

Sending high ASCII characters to non-English encoding policy.

Workaround

N/A

Fix Information

We added the internal parameter "dont_norm_high_ascii". If the value is set to 0 (the default value), the system removes high ASCII bytes as part of the normalization process. If the value is set to 1, the system leaves and does not remove high ASCII bytes. Consider setting this parameter to 1 if your web application uses non-English encoding where high ASCII bytes are legal. Removing these bytes may lead to false positive detection of attack signatures when the remaining bytes exactly compose an attack signature.

Behavior Change