Follow

Q&A: What is Evasion technique detected: Multiple decoding?

Question 

  • What is Evasion technique detected: Multiple decoding?
    • Common details related to Evasion technique detected within the WAF Violation Summary
      • Violations:Evasion technique detected
      • Sub Violation(s):Evasion technique detected: Multiple decoding
      • Attack Type: Detection Evasion
      • Signature Name(s): []
      • Signature ID(s): []
      • Severity: Critical

Environment

  • Silverline WAF

Answer

  • The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion.
    • By default, Silverline WAF policy allows 4 decoding attempts (maximum up to 5 times)
    • Examples:
%2533 ==>%33==>'3' 
%%332 ==> %32 ==> '2'
%%2533%32 ==> %%332 ==> %32 ==> '2'
%25252532==>%252532==>%2532==>%32==>'2'
  •  For multiple decoding violations, you can increase or decrease the number of decoding passes that the system attempts to achieve normalization before a violation is triggered.
    • For example,
      • setting the value to 2 raises a violation if more than one pass is required to decode the entity, allowing only single-encoded entities

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request