Forum Discussion

Nimbostratus

Feb 02, 2016

Bypass F5 ASM

Has anyone attempted to bypass F5 ASM? I tried the built-in features in nmap, sqlmap, and WAFW00F but unable to detect and bypass F5 ASM. I don't know if I did it right. I also found this artic...

Employee

Feb 02, 2016

If the ASM is properly configured, you should not be able to bypass it. If you can bypass it this would be considered either a misconfiguration or a defect.

The URL you reference is well known to me and requires a very specific configuration on the ASM. You would need to have the ASM configured to handle both JSON and form encoded data on the same URL (a highly specialized and unusual configuration to say the least). For most users this would be a misconfiguration, as a web application would normally either process JSON or form encoded data, possibly both on different URLs, but not likely both on the same URL.

If you are the administrator of the ASM it is fairly trivial to configure the BigIP to bypass the ASM for specific requests using Local Traffic Policies or iRules. As an end user this should not be possible.

Forum Discussion

Bypass F5 ASM

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Bypassing ASM on HTTP response

Bot defence profile on F5 ASM

ASM Bypass v11.2.0: Muhahahahahahaha

F5 AWAF - bypass request based on the pressence of a request header - value

Bypass certificate check