Forum Discussion
NimbostratusASM: Disable violations for a certain URL
Hi All,
i have a ASM security policy for Sharepoint (it was created from someone else). Unfortunately, there is a site in Sharepoint for pentester. A discussion board and so on... As you can imagine, the ASM is going crazy for all the discussions and uploads around common security leaks.
My thought was, that i create a wildcard URL like
/sites/pentest/*
and as Request Body Handling "Do Nothing" But that doesn't work at all. ASM is still complaining. For example in a request like this:
GET /sites/pentest/Lists/Discussion%20Board/'';!--XSS=Is there a way to allow any content for a specific URL. Or maybe an other approach to handle this ?
Thanks and regards, Joachim
7 Replies
JinshuCirrus
if you know the IP address of the source, whitelist the address and it will bypass the ASM signature match.
-Jinshu
Joachim_RoessneThere are severall pentesters around. I don't recognize if a new member to the site is added. I would always have to manage this whitelist. I would prefer a more comfortable way :-)
Joachim
- Joachim_Roessne
This one is driving me crazy. I can't figure out how to tell ASM to not inspect Request that belong to /sites/pentest/*
It is still complaining with Requests like
Of course it detects Attack signtature on that URL. But how to allow that for a certain URL ?/sites/pentest/lists/discussion0x20board/style0x20type=textcssbodybackgroundurl(javascriptalert('xss'))styleAny suggestions? Maybe the only way is to disable ASM by iRule when a request for /sites/pentest arrives. But thats not a good solution.
- Joachim
natheCirrocumulus
Joachim,
My view would be to create a separate ASM policy for the pentest site and then use a Local Traffic Policy or iRule to point traffic to /sites/pentest to the new ASM policy. This policy can be amended without compromising the other areas of your website.
Hope this helps,
N
- Jinshu
Hi Joachim,
Try using below irule for bypass the ASM. Let me know if this helps.
when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] starts_with "/sites/pentest/" } { ASM::disable } }-Jinshu
Dan_L1You can also use policies.
Local Traffic > Policies > asm_l7_policy_whatever.website.com > under Rules click on Add, give it a name, like policy_whitelist, operand: http-uri (leave rest of fields default) > condition: choose equals/contains/etc, value = your URI, click add, then click the Add further down where operand/event/etc is located.
In the Actions area, target > asm, action > disable. Click Add where target/event/etc are. and Finished.
Then once back at the main policy page, do a re-order and move the policy_whitelist you created above default, so it will disable on the URI string prior to hitting the default ASM enable.. once you done this once or twice, pretty simple and can be used a lot.
The above iRule by Jinshu also works (does the same thing).
- Stefan_Klotz
Cumulonimbus
Hi Dan,
tried your method for a different scenario, but it works great. Never played around with this section, but seems to be very powerful and useful as well.
Thank you!
Ciao Stefan :)
