Forum Discussion

rmoss25's avatar
rmoss25
Icon for Altostratus rankAltostratus
Feb 20, 2021

ASM and OPSWAT Metadefender Blank Page after file upload

Hi,

I am trying to integrate F5 ASM WAF with OPSWAT metadefender but when I try and upload and EICAR file browser just shows a blank white page. I am using a default security policy in blocking mode and have configured the settings according to the F5 BIG IP ASM (WAF) OPSAWT guide.

  • I have configured the ICAP server under  Security > Options > Application Security > Integrated Services > Anti-Virus Protection.
  • I have configured the antivirus block settings under Security > Application Security > Policy Building > Learning and Blocking Settings > Advanced Configuration.
  • I have antivirus scanning for HTTP file uploads and SOAP attachments Security > Application Security > Integrated Services > Anti-Virus Protection.

 

When I try to upload the test file I get a blank browser and if I check the source code in the browser I see the following:

 

window["bobcmn"] = "101110101010102000000022ffffffff2ffffffff20000000220156c0ea200000000200000000200000000300000044multipart%2fform%2ddata%3b%20boundary%3d%2d%2d%2d%2dWebKitFormBounda300000000300000000300000000300000000300000007httpsc3000000b008a59e5661ab20000adb568196d38950bf7928e988d64266cafbda4956605335d523cb0c44e211db089aede8158b2800a5d271c7e2a6f9d94d8c4ad7cd49022d5f72b236f5ca5943b07c111a9484727f3b29e542d2d2302b300000002TS300000165%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz
Content%2dDisposition%3a%20form%2ddata%3b%20name%3d%22filename%22%3b%20filename%3d%22eicar.com%22
Content%2dType%3a%20application%2foctet%2dstream

X5O!P%25@AP[4%5cPZX54(P%5e)7CC)7}%24EICAR%2dSTANDARD%2dANTIVIRUS%2dTEST%2dFILE!%24H%2bH%2a
%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz%2d%2d
200000000";

 

"</script>
</APM_DO_NOT_TOUCH>
<script type="text/javascript" src="/TSbd/08a59e5661ab2000a21cb91986bc897b6b354965ec350caba4c8ca55a7b089798844a4727e8dc553?type=5"></script><noscript>Please enable JavaScript to view the page content.<br/>Your support ID is: 8648386876400468880.</noscript>
</head><body>
</body></html>"

 

Is there something in the ASM policy that needs to be changed?

 

ASM Advanced WAF
Azure
icap
metadefender
OPSAWT
security
  • websec's avatar
    websec
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2021

    I have the exact same issue, except we're not using Metadefender but a different scanning engine.

    A 'virus found' should result in a response page I have configured with a 500 status code with the supportid embedded in json, but instead I get a 200 with this html page and javascript.

    Running v15.1.1

  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Icon for Employee rankEmployee
    Feb 23, 2021

    Hello,

     

    What client do you use to send request?

    Do you configure any other protection on your VS except anti-virus protection?

     

    According to data in blocking response page ("Please enable JavaScript to view the page content") it seems like you send request form client, which doesn't support JS, while according to your configuration (may be you have Bot profile) it must have it.

    Most probably this issue is not related to anti-virus protection by itself.

     

    What violations (blockihg reasons) do you get in request log?

     

    Thanks, Ivan

  • websec's avatar
    websec
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2021

    We have a basic web page that allows to attach a file upload, eicar.txt is used in our case. This is posted as a multi-part.

    Behaviour is consistent with different browsers: both Chrome and Edge show the same result. Both have javascript enabled in the settings.

    There are no additional protections active on the VS: DoS protection and Bot defense are disabled.

    The only violation that is showed is the 'Virus found'

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Feb 24, 2021

      Ok, got it. Several more questions to localize the problem:

      1. What version of BIG-IP do you use?
      2. What details are show for "Virus found" violation?
      3. Do you send it as regular post request or as AJAX request?
      4. Do you configure any Device ID functionality like Brute force, Session Awareness, Web Scrapping?

      Thanks, Ivan

  • websec's avatar
    websec
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2021

    To answer your questions:

    1. v15.1.1
    2. See image
    3. It's an AJAX request. Here is the full post:

    Invoke-WebRequest -Uri "https://www.website.com/api/fdf/form/posttask" `

    -Method "POST" `

    -Headers @{

    "Accept"="application/json, text/javascript, */*; q=0.01"

     "X-DIF-APIKEY"="101D9BEF-F159-4470-BB9C-D6C30AC12F77"

     "X-Requested-With"="XMLHttpRequest"

     "X-DIF-CAT"="asrnl"

     "User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"

     "Origin"="https://www.website.com"

     "Sec-Fetch-Site"="same-origin"

     "Sec-Fetch-Mode"="cors"

     "Sec-Fetch-Dest"="empty"

     "Referer"="https://www.website.com/uploadtest"

     "Accept-Encoding"="gzip, deflate, br"

     "Accept-Language"="en-US,en;q=0.9,nl;q=0.8"

     "Cookie"="CID=AgAAADeLJKEDWTAfH9/3824Y1hU=; _vwo_uuid_v2=D79FABC26D88B00181DA273DE0FA01732|a3af3f7fde6cd39080de5466a00b3dcc; _ga=GA1.2.239643387.1565878568; _vwo_uuid=D50512767714774C8FD6FFC6562EDC54B; adblockerconsent=accept; __utma=129357340.239643387.1565878568.1608811504.1608811504.1; __utmz=129357340.1608811504.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookieconsent=accept; _gid=GA1.2.274112240.1613403340; ASP.NET_SessionId=hwmx0noyheme4rnswzv50id3; nl__api_fdf=rd4o00000000000000000000ffff0a91c064o80; TS010f430c=0153897e825a2d8b6291176f68b75aaf38f80657ede5e3f6bbe9bfa8fd9958326c5f9a67b53a459b1d313fcf0918ec81b2d7b973a4d223de578505ef34c9804e8b7e3ecb06; SC_ANALYTICS_GLOBAL_COOKIE=4f642f1b13ce4ac297873cf1930adca6|True; TS01a8b93c=0153897e82b55b18155e0864755a38a87583565c16b4de3683dc0af8c9810f6079d6fb77930892c6e373d5a82a42a6c3f98f6624de646aeaf24c2d498d24ffa27ce04ecc2c8f60ac56b421840003788a267e11d7ff; TS01931511=0153897e820cbfb068962d6c813f63d0f743dcabce96abc4bc18a75c5a18fad5d4c0149dc659de8455dc119c5a859f6baf598bc370ae8bddfb942aa7b3f7620b9f3f75a56a; OPTOUTMULTI=0:0|c1:1|c4:1; utag_main=v_id:016c95a2c1590021a53a8afa54900306d003606500c48`$_sn:36`$_se:67`$_ss:0`$_st:1613563167708`$dc_visit:14`$recommender_test:1`$ses_id:1613559424231%3Bexp-session`$_pn:16%3Bexp-session"

    } `

    -ContentType "multipart/form-data; 

    boundary=

    ----WebKitFormBoundaryhaOvsgi1vu8EAy5L

     " `-Body ([System.Text.Encoding]::UTF8.GetBytes("

    ------WebKitFormBoundaryhaOvsgi1vu8EAy5L

     $([char]13)$([char]10)Content-Disposition: form-data; name=`"data`"$([char]13)$([char]10)$([char]13)$([char]10){`"Title`":`"upload_test`",`"Token`":`"f09e16fb-bde7-4d0f-9e91-004830b6c697`",`"FutureVersion`":false,`"LastUpdate`":`"a7d659b8-6ce3-4223-abf8-2879a7290648`",`"Trigger`":`"1_b_Verder`",`"FormInput`":[{`"Key`":`"rResultCode`",`"Soort`":`"tekst`"},{`"Key`":`"rMeldingenCode`",`"Soort`":`"tekst`"},{`"Key`":`"rMeldingen`",`"Soort`":`"tekst`"},{`"Key`":`"1_v_file`",`"Soort`":`"file_upload`",`"Waarde`":`"eicar.txt`"}]}$([char]13)$([char]10)

    ------WebKitFormBoundaryhaOvsgi1vu8EAy5L

     $([char]13)$([char]10)Content-Disposition: form-data; name=`"eicar.txt`"; filename=`"eicar.txt`"$([char]13)$([char]10)Content-Type: text/plain$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)

    ------WebKitFormBoundaryhaOvsgi1vu8EAy5L

     --$([char]13)$([char]10)"));

     

    4 No Brute force or session awareness. Web Scraping is renamed to Bot Defense after v14, we also do not use that

     

    thx

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Feb 25, 2021

      Thanks for the info.

      Do you have single-page application?

      If YES, then you need to enable single_page_application system variable on "Security ›› Options : Application Security : Advanced Configuration : System Variables" page.

      Also, most probably, you need to enable Ajax Blocking Behavior in Blocking Response Pages configuration.

      Can you try it?

       

      Thanks, Ivan

  • websec's avatar
    websec
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2021

    I think using eicar has raised some flags at our security department. Now my local virusscanner kicks in immediately when I save my testfile, where I had 30 secs before. I'll get back asap when I've found a way to continue testing.

  • websec's avatar
    websec
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2021

    Hi Ivan,

    After making the changes you suggested we have tested again, unfortunately without any change in behavour.

    To clarify some more: we don't want a popup to appear, we want that the Blocking Page Default with our custom response body (in json format) is returned in stead of the html/script code that is presented, so that the web page can act on that json code.

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Mar 02, 2021

      Do you still see "TSbd/xxxx?type=5" in your blocking page?

      In general, in v 15.1.1, it means, that "client side challenge" functionality is enabled in one of the features in your policy and appropraite client side challenge can not be resolved by client, that is why you see whitepage.

       

      Do you see name of detected virus in violation details of "Virus detected" violation?

       

      Thaks, Ivan

  • websec's avatar
    websec
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2021

    We do indeed see ""TSbd/xxxx?type=5" in our response.

    The description of the Virus detected is "posttask/upload.txt EICAR Test String 11101 0"

    Your suggestion that it has something to do with client side challenge functionality led us to this article:

    https://support.f5.com/csp/article/K52300750

    This looks very much like the behaviour we are experiencing. Could this be our problem?