For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

coda6_52611's avatar
coda6_52611
Icon for Nimbostratus rankNimbostratus
Feb 23, 2009

ASM and XSS

We had our website security audited recently with it sitting behind our 6400 with an ASM. The ASM was configured and had been learning for a few months and we turned to finally start blocking attacks and had some XSS attempts get through. We checked our settings and I found that XSS wa addressed and supposedly blocked in our Generic Detection Signatures. At least it's my understanding that these signatures are being used since they are referenced in our Policy Attack Signature Set.

 

 

The question we have is, do we need to turn something else on to blick these attacks or does Ziv need to come back out and work on our ASM?

 

 

Thanks,

 

 

Ken
app sec
BIG-IP Access Policy Manager (APM)
security

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 23, 2009
    Hi Ken,

     

     

    I'd send Ziv an email. I'm sure he'd be happy to help you get started in diagnosing/fixing the issue.

     

     

    Most of the XSS-related signatures are in the "All Systems" set. Do you have this set enabled? Are the signatures out of staging? Is the policy in blocking mode for 'Attack Signature detected'?

     

     

    Where in the request is the XSS? Is it in a parameter value, parameter name, header value, object, etc? Do you hvae a wildcard object and/or parameter defined? What is the text of the attack? Can you post the HTTP headers/body of the attack example?

     

     

    Aaron
  • coda6_52611's avatar
    coda6_52611
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2009
    Yeah, I chatted with Ziv yesterday. But we got side tracked with the Oscars and beer.

     

     

    I'm slowly learning about the staging and how to get items out of staging and into a policy. So I think we got things covered.

     

     

    One thing I noticed was that the support docs describe a different ASM layout than I have for my ASM. How do I check which version of ASM I am running? Is the same as my LTM version?

     

     

    Thanks

     

     

    Ken
  • KAi_3066's avatar
    KAi_3066
    Icon for Nimbostratus rankNimbostratus
    May 15, 2009
    Hi,

     

     

    where i can see the description of some Sets like 'Various Systems' , 'All Systems' and so on?

     

     

    Thanks

     

    Kai
  • Benjamin_9036's avatar
    Benjamin_9036
    Historic F5 Account
    May 15, 2009
    Hey albarus,

     

     

    You can see which signatures are part of the System-specific sets using the filters when looking at the signatures on your ASM. Try browsing to the ASM UI -> Options -> Attack Signatures and expand the filter here. You can choose to view only signatures that match the sets you are looking for and determine which signatures are contained in a set. =]