Forum Discussion

Cirrus

Aug 24, 2015

bad unescape false positive

Hi, the ASM catch false positive attack "bad unescape" for such parameter, we need to bypass this signature at specific parameters and URL, not all security policy. and what the consequences i...

ASM Advanced WAF

security

samstep

Cirrocumulus

Aug 25, 2015

"good unescape" is URL encoding - when ASCII string is present in the format %00 - %FF - each byte is replaced with % followed its hexadecimal value (see https://en.wikipedia.org/wiki/Percent-encoding)

"bad unescape" is a string which uses percent sign followed by two characters which are NOT 0-9 A-F. For example: %2R

This is usually a sign of potential evasion of filters and cross-site-scripting attack attempts, however can also be a false positive, for example: someone's password could be "100%secure" , so "%se" in that password can be detected as "bad unescape".

The best practice of course is to loosen the policy just on the URLs/fields where you are seeing false positives (which you are already doing). If you decide to disable blocking of this violation policy-wide I would still advise to keep the "Alert" flag on.

Hope this helps, Sam

Forum Discussion

bad unescape false positive

Recent Discussions

URL

Portal Access to HTTPS resources slow

HOW TO HIRE A HACKER TO RECOVER STOLEN BITCOIN. CONTACT FASTFUND RECOVERY

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

rewrite Azure AD response for portal access via web portal

Related Content

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

Handle False Positive for files upload

CMS causing False Positives

Separating False Positives from Legitimate Violations

Attack Signature False Positive Mode