Forum Discussion
ASM Attack signatures on URL/parameter
Hi,
I am trying to figure out violation logging when both URL and parameter is involved. Tested on 13.1.0.8
Request:
- Post to URL: /post1
- Parameter in form (request body): parameter1
- Policy in Transparent
- Parameters on URL level
- Encoded XSS string in parameter1
Depending on staging setting results are like that:
- URL staging: Disabled
- Parameter staging: Enabled
-
Request reported in Event log:
- Status: Legal
- Violation rating: 4
- Violations detected: Illegal meta character in value, Attack signature detected
And second setting:
- URL staging: Enabled
- Parameter staging: Disabled
-
Request reported in Event log:
- Status: Illegal
- Violation rating: 4
- Violations detected: Illegal meta character in value, Attack signature detected
Above suggest that violation detection is only performed on parameters.
Still it is a bit misleading that for first staging setup violation is detected in exactly the same way as for second but request is reported as Legal.
Now Attack signature settings changed (both URL and parameter with staging disabled)
- Check attack signatures on this URL: Disabled
- Check attack signatures on this parameter: Enabled
-
Request reported in Event log:
- Status: Illegal
- Violation detected: Illegal meta character in value
And second setting:
- Check attack signatures on this URL: Enabled
- Check attack signatures on this parameter: Disabled
-
Request reported in Event log:
- Status: Illegal
- Violation detected: Illegal meta character in value
From previous test it looked like only parameter signatures cause request to be reported as Illegal, but from above it seems that Attack signatures has to be checked on both URL and parameter to trigger Attack signature detected.
Results are quite confusing here.
I would expect results like that:
- No matter if staging is disabled both request should be listed as Illegal
- If only parameter Attack signatures are causing request to be Illegal then disabling Attack signatures on URL should still trigger Attack signatures violation.
How Event Log entry for request with:
- Status: Legal
- Violation rating: 4
should be interpreted in compare to one where status is Illegal?
Piotr
- natheCirrocumulus
Piotr,
A violation on an object that is in Staging has always been classed as Legal...perhaps not an intuitive way of doing things, but been the ASM way and something I've had to remember over the years. Essentially Staging is monitoring the object for its properties so, I suppose, ASM can't judge whether (in your case) the metacharacter is required, or in the case of a file type the query length it sees is correct, so its classed by default as Legal.
So, your initial two tests are as I would expect. And illegal meta character in value is a parameter only check, as per the Blocking Settings.
The second test is odd as there no longer appears to be an "attack signature detected" violation.
I suspect if you add the metacharacters on the parameter i.e. make them allowed, and ran the same tests the "attack signature detected" violation would occur.
Hopefully.
N
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com