Forum Discussion
ASM Attack signatures on URL/parameter
Hi,
I am trying to figure out violation logging when both URL and parameter is involved. Tested on 13.1.0.8
Request:
- Post to URL: /post1
- Parameter in form (request body): parameter1
- Policy in Transparent
- Parameters on URL level
- Encoded XSS string in parameter1
Depending on staging setting results are like that:
- URL staging: Disabled
- Parameter staging: Enabled
-
Request reported in Event log:
- Status: Legal
- Violation rating: 4
- Violations detected: Illegal meta character in value, Attack signature detected
And second setting:
- URL staging: Enabled
- Parameter staging: Disabled
-
Request reported in Event log:
- Status: Illegal
- Violation rating: 4
- Violations detected: Illegal meta character in value, Attack signature detected
Above suggest that violation detection is only performed on parameters.
Still it is a bit misleading that for first staging setup violation is detected in exactly the same way as for second but request is reported as Legal.
Now Attack signature settings changed (both URL and parameter with staging disabled)
- Check attack signatures on this URL: Disabled
- Check attack signatures on this parameter: Enabled
-
Request reported in Event log:
- Status: Illegal
- Violation detected: Illegal meta character in value
And second setting:
- Check attack signatures on this URL: Enabled
- Check attack signatures on this parameter: Disabled
-
Request reported in Event log:
- Status: Illegal
- Violation detected: Illegal meta character in value
From previous test it looked like only parameter signatures cause request to be reported as Illegal, but from above it seems that Attack signatures has to be checked on both URL and parameter to trigger Attack signature detected.
Results are quite confusing here.
I would expect results like that:
- No matter if staging is disabled both request should be listed as Illegal
- If only parameter Attack signatures are causing request to be Illegal then disabling Attack signatures on URL should still trigger Attack signatures violation.
How Event Log entry for request with:
- Status: Legal
- Violation rating: 4
should be interpreted in compare to one where status is Illegal?
Piotr
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com