For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cdjac0bsen's avatar
cdjac0bsen
Icon for Nimbostratus rankNimbostratus
Feb 06, 2019

ASM protection against SSRF

Anyone have experience in virtually patching an application vulnerable to SSRF (server-side request forgery) protected by ASM? If so, how did you configure ASM policy? Whitelist all allowed URLs?

 

ASM Advanced WAF
security

1 Reply

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Feb 08, 2019

    F5 ASM can provide SSRF protection in many ways including response signatures, parameter type enforcement and whitelisting.

     

    First of all you should find out:

     

    • which URLs of the application are vulnerable to SSRF
    • what the successful SSRF attack URL looks like and what is the 'good usage' URL

    I assume you can get this from the pen-test report. Once you have this information it will become clearer what ASM policy changes you need to protect the application