WAF 390700

From Atomicorp Wiki
Jump to: navigation, search

Rule ID



Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass


This rule can be triggered if an attacker attempts to bypass the WAF's multipart assembler. There are several known attack methods that attempt to bypass WAFs by using this method.

Additionally, if any of the following characters are used in a filename this rule will be triggered:


These characters are not supported in the filename and are reserved characters.

False Positives

False Positives are rare with this rule. We do not recommend you disable this unless you want to ignore any evasion based on the multipart parser in the WAF. Currently there are no known vulnerabilities in the 2.5.12 version of the WAF (ASL versions 2.2.7 and up are not vulnerable). Therefore, if you know that your client sends an invalid multipart message when uploading a file, you are running the latest version of ASL and you do not care about detecting and blocking evasion based attacks disable this rule. We do not recommend you disable this rule, rather we recommend fixing the application to ensure that it does not accept broken multipart messages.

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Tuning Recommendations

If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules


Knowledge Base Articles


Outside References


Personal tools