Listen to this Post
Protecting the quality of data in API applications is critical, especially when server-side validation is missing, forgotten, or never implemented. The F5 ASM (Application Security Manager) can act as an additional—or even primary—layer of validation for API data, mitigating risks while a permanent application fix is developed.
How F5 ASM Fixes Missing Server-Side Validation
When server-side data validation is overlooked, the F5 ASM can enforce JSON schema validation for POST/PUT/PATCH requests. Below is a step-by-step guide to implementing this security measure.
Steps to Implement JSON Schema Validation in F5 ASM
1️⃣ Define the Endpoint in “Allowed URLs”
- Select the correct HTTP method (e.g., POST).
2️⃣ Create a Content Profile Object
- Name it according to the API method (e.g., “AddAirportDto” for a POST request).
3️⃣ Apply the Content Profile to the URL
- Match the Content-Type header (e.g.,
application/json). - Adjust for internal APIs that may not use standard headers.
4️⃣ Upload and Apply the JSON Schema File
- Attach the schema to the Content Profile.
- Use versioning (e.g.,
schema_v1.json,schema_v2.json) for tracking changes.
5️⃣ Test the Endpoint with Postman
- Verify that invalid JSON payloads are rejected.
6️⃣ Maintain Schema Versions
- Update schemas as needed, keeping historical versions for rollback.
You Should Know: Essential Commands & Tools
JSON Schema Validation
- Use `jq` (Linux) to validate JSON before sending to an API:
echo '{"key": "value"}' | jq empty || echo "Invalid JSON" - Python JSON Schema Validation:
import jsonschema schema = {"type": "object", "properties": {"name": {"type": "string"}}} jsonschema.validate(instance={"name": "test"}, schema=schema)
F5 ASM CLI Commands
- Check ASM policy status:
tmsh list asm policy
- Export ASM policy for backup:
tmsh save sys config file asm_backup
Postman Testing
- Send a test API request:
curl -X POST -H "Content-Type: application/json" -d '{"name":"test"}' http://api.example.com
Windows PowerShell Validation
- Validate JSON in PowerShell:
$json = '{"name": "test"}' | ConvertFrom-Json -ErrorAction Stop
What Undercode Say
F5 ASM provides a short-to-medium-term mitigation for missing API validation, ensuring security while developers implement permanent fixes. By enforcing JSON schemas, it prevents malformed or malicious data from reaching backend systems.
For long-term security, combine F5 ASM with OWASP API Security best practices, such as:
– Input sanitization
– Rate limiting
– Role-based access control (RBAC)
Automate schema validation in CI/CD pipelines using tools like OpenAPI Validator or Spectral.
Expected Output:
A secure API endpoint that rejects invalid payloads, logs violations, and integrates with existing security workflows.
🔗 Useful Links:
References:
Reported By: Grahammattingley F5asm – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
