- I need to know what the differences are between the UTF-8 and ISO-8859-1 baseline WAF policies.
- Is it all just centered around application encoding for the application/site the WAF is protecting?
- Silverline WAF
There are a few key differences to these two baselines policies that are based on application encoding.
- The Meta Character list will contain either approximately 122 characters (0x04 through 0x7a) or 251 characters (0x04 through 0xff), depending on the Application Language chosen for the web application.
- Single-byte character encodings (ISO-8859-1) will display almost all of the 8-bit ASCII characters as configurable meta characters, while multi-byte encodings (UTF-8 or big5) will display only the 7-bit ASCII characters that make up the first 127 characters of the ASCII table.
- This behavior is by design; it is not an issue with the product. This behavior occurs as a result of how different encoding is handled. For multi-byte encodings, the first bit of each byte in a multi-byte encoding is reserved to indicate the byte type, rather than indicating the decimal character value.
- For example, the 0xc6 single byte value, which denotes character Æ in ISO-8859-1 encoding is not a valid single byte character in UTF-8, since the leading bit is set to 1 denoting that this byte is part of a multi-byte sequence.
- Since it would be impractical to list all of the possible characters as meta characters when using multi-byte encodings, UTF-8 encoding contains more than 1.1 million characters, and these characters are not part of any known attacks. BIG-IP ASM considers all multi-byte characters as valid, and only allows the ability to configure the validity of the single-byte first 127 characters when using a multi-byte encoding.
- If the BIG-IP ASM receives a single-byte sequence when the application language is set to a multi-byte encoding, such as UTF-8, the character will fail the character decoding process. The "Failed to convert character" WAF violation will be triggered, and action will be taken per the currently configured blocking mask to either Learn, Alarm, Block, or a combination of all three.