ASM Violation "HTTP Header Injection"

Question

Hi Folks,&nbsp;
in the last days I saw the violation "HTTP Header Injection" very often in my manual traffic learning. When looking at the request I can't really understand, what causes this violation. Typically it's related to "0xa" within the request body. In fact this means just a newline. I know, that this can be used in form fields to inject protocol header (i.e. in SMTP), but in my case this is just HTTP and was a newline within the request. It appeared several times in the request, but only one was causing this violation. &nbsp;
Typically I would clear this violation and wait until it returns a second time, but I can't because this will block legal request. So today I can only see false positives for this kind of signatures.&nbsp;
I would like to share an example request with you, but for if I would strip the sensitive content, you wouldn't see the interesting parts. So for now I will try to get experiences from you related to this violation and maybe some more information about it and how to handle this violation (without just disable all the signatures).&nbsp;
Hopefully this is clear.&nbsp;
Thanks in advance.&nbsp;
Greets,
svs&nbsp;

tikka_nagi_1315 · Answer

Without seeing the actual HTTP Request it's difficult to answer this question. You could open a support case and provide the details.&nbsp;
The violation 'HTTP Header Injection' is triggered by Signature ID 200018023. You can disable the signature 200018023 and customize a new signature to allow “0xa” and “0xd”.
Please refer to the manual chapter:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-3-0/asm_attack_sigs.html?sr=474886781031942&nbsp;

svs · Answer

I've tried to remove sensitive data from the full request, to post it, but the relevant part of the request contains the sensitive data. So removing or replacing it, wont help to find the cause for it.&nbsp;
I saw this HTTP Header Injection suddenly on every single installation I've done. I thought of an issue with the signature database, but currently there is no update.
I will do as you have suggested and open a support case for this.&nbsp;
Thanks for your help.&nbsp;
Greets,
svs&nbsp;

Forum Discussion

ASM Violation "HTTP Header Injection"

2 Replies

Recent Discussions

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Related Content

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Icontrol REST upload and apply policy- section "http-protocols" ignored?

Separating False Positives from Legitimate Violations

AWAF - Do not log Geolocation violations from the Event Log

No Learning Suggestions But could see Violations in the event logs