Hi i m doing Xss attack to the ASM with

Hi Zafer, ASM doesn't currently provide an option to base64 decode request components. But most web servers won't do this either so it's not a problem. If the web application does base64 decode whatever request component you're putting the base64 encoded attack string in, then you'd have a potential issue. What kind of app are you testing? Aaron

Hi hoolio the customer use apache tomcat. We tested several attack methods to the ASM and i can't find how to block encoded request based on hex and base64 regards zafer

Forum Discussion

Zafer_101134

Nimbostratus

Jan 14, 2011

asm capabilities encoded request

i m doing Xss attack to the ASM with

app sec

BIG-IP Access Policy Manager (APM)

security

2 Replies

hoolio
Cirrostratus
Jan 20, 2011
Hi Zafer,

ASM doesn't currently provide an option to base64 decode request components. But most web servers won't do this either so it's not a problem. If the web application does base64 decode whatever request component you're putting the base64 encoded attack string in, then you'd have a potential issue.

What kind of app are you testing?

Aaron
Zafer_101134
Nimbostratus
Jan 24, 2011
Hi hoolio

the customer use apache tomcat.

We tested several attack methods to the ASM and i can't find how to block encoded request based on hex and base64

regards

zafer