Forum Discussion

mgjk_229461's avatar
mgjk_229461
Icon for Nimbostratus rankNimbostratus
Jan 25, 2016

ASM - Truncated and Blocked, why?

I'm trying to figure out why this particular request keeps getting blocked.

 

Normally when I see a block, above the request details, it gives some clue as to why exactly it was blocked. This one only shows the lowest-violation rating, nothing else, except "critical, blocked"

 

I'm not entirely sure what it means by "truncated". Does it mean that the request reached the F5 in a truncated state? Does it mean the UI truncated it when displaying it? Did it mean the F5 truncated it?

 

The strangest part is that the request is generated by a url which contains a string much like "http://example.com/?q=(%20foo%20)". Internal JavaScript causes this request to hit the server multiple times as %28%2520foo%2520%29 i.e., double-escaped %20, single-escape '(' this is the request that gets blocked.

 

When I change my request to "http://example.com/?q=%28%20foo%20%29", The internal JavaScript generates the longer even more bizzare: %2528%2520foo%2520%2529 which does not get blocked.

 

I'm a bit of a n00b here, any ideas?

 

 

ASM Advanced WAF
BIG-IP
security

1 Reply

Sort By
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Jan 26, 2016

    F5 reporting module truncates requests over 5Kb (used to be 10Kb before v11.4.0) when logging the requests. This is done to save space in the F5 ASM's internal reporting database/disk. Otherwise an attacker could easily fill up the disk on the F5s by repeatedly sending large illegal requests. The actual request reaches the backend server in normal state (unless you are in BLOCKING mode, in which case the request never reaches the back-end and the attacker gets the blocking response page).

     

    Check out F5 Solution sol12044: The BIG-IP ASM Reporting screen now truncates request details for requests more than 5 KB in size

     

    The violation you have appears to be the Multiple Decoding evasion where attackers double or triple-encode (or escape) the URI parameters to avoid detection. ASM allows you to increase the decoding passes when tuning the policy Under Blocking/Settings/RFC Violations/Evasion Technique Detected. I suggest you increase it to 3.

     

    I guess the actual question for you is to analyze whether you want these kind of requests blocked or whether it is a false positive due to spaces/extra escaping in URI and you need to modify your policy.

     

    Hope this helps,

     

    Sam