Forum Discussion

JamesS_40157's avatar
JamesS_40157
Icon for Nimbostratus rankNimbostratus
Dec 16, 2011

ASM search engine configuration query

Hi all,     We are currently in the process of setting up the ASM for production use, and unfortunately I'm finding the documentation on search engine configuration quite lacking.     Sear...
app sec
BIG-IP Access Policy Manager (APM)
security
Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Dec 16, 2011
Well actually depending on what version of ASM you are running you may want to disable Web Scraping detection. There is an XSS vulnerability within that feature in 10.1.0 - 10.2.2.

 

 

https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12953.html?sr=18293022

 

 

If you are running safe code to leave this enabled, another way to work around this might be to design an ASM iRule that matches the UA string against a safe list of UA strings you define as a data list, and then have it bypass the Web Scraping protection based upon that. I am definitely not an iRule guru so you will want to hunt through the Wiki's for more information. On how you might doe that, although you probably want to be careful doing something like that as it would be easy to spoof the UA string.