Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.4.1, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: May 13, 2015 Severity: 3-Major
ASM Policy may pass a malicious script through the ASM by configuring valid JSON with the URL encoded script in it via a POST body, but the web server will interpret as form-encoded. This is accomplished by setting content-type: application/www-form-encoded;json.
ASM Policy may pass a malicious script through the ASM by configuring valid JSON with the URL encoded script in it via a POST body.
Configure JSON ASM policy with aaving a single URL that handles both form-encoded and JSON input.
N/A
Added an internal param "decode_application_payload" to trigger one round of decoding for requests with JSON/XML/GWT body handling, This is done regardless of the "Content-Type" header value. Internal Param name: decode_application_payload Possible values: "0" is the default mode and decoding is not activated. "1" one round of decoding is activated. Shell command: /usr/share/ts/bin/add_del_internal add decode_application_payload 1