Forum Discussion

Steve_88099's avatar
Steve_88099
Icon for Nimbostratus rankNimbostratus
Nov 08, 2011

ASM length of Illegal URL

Hi,

 

 

I'm new to working with ASM, I have a policy in blocking mode in our test environment and the error I'm researching is :

 

Request blocked, violations: Illegal URL length

 

 

 

My questions are where is this length defined?

 

The developer doesn't think it is a significant risk.

 

The length of one of the URLs posted is 3848 char.

 

 

 

I'm assuming this length adjustable, if so a pointer to some docs would be a great help.

 

 

 

Thanks

 

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Steve

     

     

    I think this setting is located under Application Security - Options - Advanced Configuration - ecard_max_http_req_uri_len.

     

     

    If you go to Application Security - Policy - select your Policy - Blocking - Settings - you should be able to configure the Illegal URL Length triggers here, I take it Block is enabled? If Learn is then you can use it to reconfigure your policy.

     

     

    Hope this helps

     

    N
  • Steve,

     

    There is actually an much easier way to find what you are looking for and make the change. The URL Length is something that is defined under File Types. So you go to Application Security > File Types > Allowed file types and you will see the column for URL Length. You will need to know what the file extension is on the end of the URL being blocked and adjust the appropriate one.

     

     

    Nathan was correct though in saying that if you have learning turned on for Illegal URL length, you can go to Manual Policy Building > Traffic Learning and here you should see a violation for Length Errors, click on that and you should be able to find the block from there.

     

     

     

    Mike

     

  • Thanks for the replies, below is the added detail on my Blocked transaction.

     

    If I understand Nathans post under Options Advanced Configuration

     

    ecard_max_http_req_uri_len

     

     

    the default is set to 2048,

     

     

    I'm guessing changing this would affect all application URLs.

     

     

    I would like to adjust the length longer then default for ONLY the relative starting

     

    URI /AdminCategories.do.......

     

     

    How do I do that?

     

     

    Thanks.

     

     

     

    From Export Security Events Report:

     

     

    Requested URL: [HTTPS]

     

    Web Application: my.company.com_asm

     

    Source IP Address: xx.xx.177.200:24454

     

    Destination IP Address: xx.xx.5.62:443

     

    Country: United States

     

    Time: 2011-11-09 14:37:55

     

    Request Status: Illegal, Blocked

     

    Severity: Warning

     

    Response Status Code: N/A

     

    Potential Attacks: N/A

     

    Detected Violations:

     

    Violation Severity Learn Alarm Block

     

    Illegal URL length Warning Yes Yes Yes

     

     

    Request

     

    GET

     

    /AdminCategories.do?method=Save&selectedCategories (Thousands of characters...)

     

  • Hmmmm..... I am not sure you can do that, because the URL length control is under to File Type not the specific URL, so you would be adjusting the entire .do file type category. The only way I could think of to do what you are asking, is to create another HTTP Class/Policy for just that URL. You can go and create an HTTP Class and then Check the box that says URI Paths, select Match Only in the drop down box and put in /AdminCategories.do. Then you can configure the URL length specically for that URL. Obviously this is a bit messy in that you now have a separate policy for just the one URL, but you keep an edge on the security. Honestly though I would probably just adjust the URL Length for .do in the main policy and call it a day, as long as your back end server/application is configured well and can handle other .do URLs of the same length there is really not much of a concern.

     

     

    Mike
  • For those who may stumble upon this thread, there are ASM features in addition to what Mike is referring to regarding file types.

     

     

    The gory details are in Configuration Guide for Big-IP Application Security Manager, spread out over chapter 6 Manual Configuring Security Policy, and chapter 10 Working with parameters.

     

    ASM has a very configurable and fine grained model to interrogate traffic before it gets to the application server.

     

     

    The issue I ran into is my application created a relative URI that was longer than the default allowed and it was blocked.

     

    To customize a rule that will allow a longer URI is a 2 step process:

     

    Define a explicit URL.

     

    Define a parameter linked to your URL with the length allowed.

     

     

    Of course there a couple more details but that's what manuals are for ;-)