Manual Chapter : Securing Base64-Encoded Parameters

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Securing Base64-Encoded Parameters

Base64 encoding is a convenient encoding method that uses a compact presentation, and is relatively unreadable to the casual observer. Many applications apply base64 encoding to binary data, for inclusion in URLs or in hidden web form fields. Unfortunately, it is also possible to mask application attacks in base64-encoded data. To provide better security for applications that use base64 encoding, Application Security Manager can decode user-input parameter values that are base64-encoded.

Adding base64 decoding to a new user-input parameter

If your application uses base64 encoding, the system can apply base64 decoding to a user-input parameter. When the decoding is successful, the system applies the parameter checks specified in the security policy. When the decoding is not successful, the system issues the Illegal base64 encoded value violation and responds to the offending request according the associated blocking policy.
  1. On the Main tab, click Security > Application Security > Parameters.
  2. Type the name for the new explicit parameter.
  3. For the Parameter Level setting, select where in a request the parameter is located.
    Option Description
    Global The parameter can occur anywhere and is not associated with a specific URL or flow.
    URL The parameter occurs in the specific URL that you provide.
    Flow The parameter occurs in the specific entry point URL or referrer URL that you provide.
  4. Leave the Perform Staging check box selected if you want the system to evaluate traffic before enforcing this parameter. Staging helps reduce the occurrence of false positives.
  5. For the Parameter Value Type setting, select User-input value.
  6. On the Data Type tab, for the Data Type setting, select either Alpha-Numeric or File Upload.
  7. Select the Base64 Decoding check box if you want the system to apply base64 decoding to values for this parameter.
  8. Configure any other properties that apply to this new parameter.
  9. Click Create. The screen refreshes, and the new parameter appears in the parameters list.
  10. To put the security policy changes into effect immediately, click Apply Policy.

Adding base64 decoding to an existing user-input parameter

When enabled, the system can decode base64 encoding in a user-input parameter. If the decoding is successful, the system applies the parameter checks specified in the security policy. If the decoding is not successful, the system issues the Illegal base64 encoded value violation and responds to the offending request according to the associated blocking policy.
  1. On the Main tab, click Security > Application Security > Parameters > Parameters List.
  2. In the Parameters List filter, select Parameter Value Type in the left list, User-input value in right list, and click Go. The screen refreshes and lists only user-input parameters.
  3. In the Parameter Name column, click the name of the parameter to which you want to add base64 decoding. The Parameter Properties screen opens.
  4. On the Data Type tab, select the Base64 Decoding check box so the system applies base64 decoding to values for this parameter.
    Note: The base64 decoding setting is available only for user-input parameters of the alpha-numeric or file upload data type.
  5. Click Update. The screen refreshes, and displays the parameters list.
  6. To put the security policy changes into effect immediately, click Apply Policy.