Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Apr 03, 2018

ASM Api Rest $filter question

Hi, version 12.1.2, ASM module. I need to use $filter together with option "contains", not "eq" as commonly used. According to this article it should be possible, but it looks it is not as I've b...
ASM Advanced WAF
cloud
iControlREST
security
suttonsc's avatar
suttonsc
Icon for Employee rankEmployee
Jun 05, 2018

The syntax can be a bit tricky, for curl there is the added escaping that is not needed if using Postman. The following was tested using curl against BIG-IP v12.1.3.4:

 

Simple filter using contains:

 

$ curl -sku admin:admin https://155.121.lab.es.f5net.com/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?\$filter=contains\(id,\'_zZQ8rpWoL9mFeg8MZqIIg\'\) | jq .
{
  "kind": "tm:asm:policies:signatures:signaturecollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?ver=12.1.3&$filter=contains(id%2C'_zZQ8rpWoL9mFeg8MZqIIg')",
  "totalItems": 1,
  "items": [
    {
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures/_zZQ8rpWoL9mFeg8MZqIIg?ver=12.1.3",
      "signatureReference": {
        "link": "https://localhost/mgmt/tm/asm/signatures/3lXrJ-kq-EnlidWPaM32Ug?ver=12.1.3"
      },
      "lastUpdateMicros": 1464814636000000,
      "id": "_zZQ8rpWoL9mFeg8MZqIIg",
      "performStaging": true,
      "enabled": true
    }
  ]
}
`

When trying to parse the 'signatureReference' there is a invalid reference issue unless you expand and then filter:

`$ curl -sku admin:admin https://155.121.lab.es.f5net.com/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?\$expand=signatureReference\(signature/id,\'3lXrJ-kq-EnlidWPaM32Ug\'\) | jq .
{
  "kind": "tm:asm:policies:signatures:signaturecollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?$expand=signatureReference&ver=12.1.3&$filter=contains(signature%2Fid%2C'3lXrJ-kq-EnlidWPaM32Ug')",
  "totalItems": 1,
  "items": [
    {
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures/_zZQ8rpWoL9mFeg8MZqIIg?ver=12.1.3",
      "signature": {
        "matchesWithinGwt": true,
        "isUserDefined": false,
        "matchesWithinCookie": true,
        "selfLink": "https://localhost/mgmt/tm/asm/signatures/3lXrJ-kq-EnlidWPaM32Ug?ver=12.1.3",
        "matchesWithinParameter": true,
        "systems": [
          {
            "systemReference": {
              "link": "https://localhost/mgmt/tm/asm/signature-systems/b9hI1sIulARJ09bbdy0VQw?ver=12.1.3"
            }
          }
        ],
        "matchesWithinXml": true,
        "id": "3lXrJ-kq-EnlidWPaM32Ug",
        "matchesWithinHeader": false,
        "signatureId": 200000128,
        "matchesWithinJson": true,
        "name": "img tag: src/dynsrc/lowsrc (Parameter)",
        "lastUpdateMicros": 1525137548000000,
        "description": "Summary:\nThis event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).\n\n--\nImpact:\nSuccessful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.\n\n--\nDetailed Information:\nThis event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.\nCross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.\n\n--\nAffected Systems:\nAll systems that accept user input are potentially affected.\n\n--\nAttack Scenarios:\nAn attacker can supply a malicious link designed to steal information from a user clicking on that link.\n\n--\nEase of Attack:\nVary from simple to medium.\n\n--\nFalse Positives:\nSome applications send various script code to the web server as legitimate input.\nSome free-text user input may match Cross Site Scripting signatures.\n\n--\nFalse Negatives:\nNone known.\n\n--\nCorrective Action:\nEnsure the system is using an up to date version of the software and has had all vendor supplied patches applied.\nUtilize \"Positive Security Model\" by accepting only known types of input in web application.\n\n--\nAdditional References:\n\nThe Cross Site Scripting (XSS) FAQ\nhttp://www.cgisecurity.com/articles/xss-faq.shtml\n\nCross-site scripting\nhttp://en.wikipedia.org/wiki/Cross_site_scripting\n\n--\n",
        "revision": "3",
        "attackTypeReference": {
          "link": "https://localhost/mgmt/tm/asm/attack-types/MFsWvSAV_Z5j1vSkR0hnXg?ver=12.1.3"
        },
        "matchesWithinResponse": false,
        "matchesWithinRequest": false,
        "matchesWithinUri": false,
        "accuracy": "low",
        "risk": "low",
        "signatureType": "request"
      },
      "lastUpdateMicros": 1464814636000000,
      "id": "_zZQ8rpWoL9mFeg8MZqIIg",
      "performStaging": true,
      "enabled": true
    }
  ]
}

Let me know if this answers your question.