ASM and XSS

Question

We had our website security audited recently with it sitting behind our 6400 with an ASM. The ASM was configured and had been learning for a few months and we turned to finally start blocking attacks and had some XSS attempts get through. We checked our settings and I found that XSS wa addressed and supposedly blocked in our Generic Detection Signatures. At least it's my understanding that these signatures are being used since they are referenced in our Policy Attack Signature Set.  
&nbsp;  
&nbsp; The question we have is, do we need to turn something else on to blick these attacks or does Ziv need to come back out and work on our ASM? 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Ken

hoolio · Answer

Hi Ken, 
&nbsp;  
&nbsp; I'd send Ziv an email.  I'm sure he'd be happy to help you get started in diagnosing/fixing the issue.   
&nbsp;  
&nbsp; Most of the XSS-related signatures are in the "All Systems" set.  Do you have this set enabled?  Are the signatures out of staging?  Is the policy in blocking mode for 'Attack Signature detected'? 
&nbsp;  
&nbsp; Where in the request is the XSS?  Is it in a parameter value, parameter name, header value, object, etc?  Do you hvae a wildcard object and/or parameter defined?  What is the text of the attack?  Can you post the HTTP headers/body of the attack example? 
&nbsp;  
&nbsp; Aaron

coda6_52611 · Answer

Yeah, I chatted with Ziv yesterday. But we got side tracked with the Oscars and beer.  
&nbsp;  
&nbsp; I'm slowly learning about the staging and how to get items out of staging and into a policy. So I think we got things covered.  
&nbsp;  
&nbsp; One thing I noticed was that the support docs describe a different ASM layout than I have for my ASM. How do I check which version of ASM I am running? Is the same as my LTM version? 
&nbsp;  
&nbsp; Thanks 
&nbsp;  
&nbsp; Ken

ido_breger_3805 · Answer

Yes , it is the same version

kai_3066 · Answer

Hi, 
&nbsp;  
&nbsp; where i can see the description of some Sets like 'Various Systems' , 'All Systems' and so on? 
&nbsp;  
&nbsp; Thanks 
&nbsp; Kai

benjamin_9036 · Answer

Hey albarus, 
&nbsp;  
&nbsp;    You can see which signatures are part of the System-specific sets using the filters when looking at the signatures on your ASM. Try browsing to the ASM UI -&gt; Options -&gt; Attack Signatures and expand the filter here. You can choose to view only signatures that match the sets you are looking for and determine which signatures are contained in a set. =]

Forum Discussion

ASM and XSS

Recent Discussions

BIG-IP Edge Endpoint Inspection Failure pre-VPN

How to export a list of paired external service providers from APM?

How to Renew F5 Device Certificate

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

Cross Site Scripting (XSS) Exploit Paths

Mitigating OWASP Web Application Risk: Cross-Site Scripting (XSS) using F5 Advanced WAF

OWASP Mitigation Strategies Part 2: XSS Attacks

File Uploads and ASM

ASM don't block attack XSS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS