Forum Discussion
NimbostratusAWAF Detection Inconsistency Between Similar Test Payloads
Hi everyone,
I'm testing F5 AWAF against several attack payloads in a lab environment (crAPI).
I noticed some inconsistent detection behavior and would like to know whether this is expected, a signature coverage issue, or a content profile configuration issue.
Environment
F5 AWAF / ASM
Wildcard URL policy
Attack signatures enabled
Form Data, JSON, and XML request body handling configured
Default content profile set to "Apply value and content signatures and detect threat campaigns"
Case 1 - Command Injection
The following payload is detected:
POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=cat /etc/passwd
AWAF triggers:
Unix "cmd" parameter execution attempt
However, the following payload is not detected:
POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=127.0.0.1 && ls /etc
The request body is visible in the event logs, so parsing appears to be working correctly.
Has anyone observed similar behavior with command execution signatures?
Case 2 - Multipart Form Data
AWAF successfully detects directory traversal inside multipart/form-data:
Content-Disposition: form-data; name="/static/img/../../etc/passwd" test
However, some multipart XSS payloads are not detected, for example:
Content-Disposition: form-data; name="random" <x/Onpointerrawupdate=confirm()>xxxxx
while other XSS payloads such as onerror-based payloads are detected and blocked.
Questions
Is this expected signature coverage behavior?
Are command execution signatures expected to detect payloads like:127.0.0.1 && ls /etc
Are there known limitations for newer event handlers such as:onpointerrawupdate=
Would enabling Base64 Decoding in Header-Based Content Profiles have any effect on these cases, or is this unrelated because the payloads are not Base64 encoded?
Are there recommended Signature Sets or Evasion settings that improve detection for these payloads?
Any guidance would be appreciated.
3 Replies
- Anoop_Jayadharan
Cirrostratus
Hey Kuyidong
Have you enabled specific attack-type signatures and enforced them within the security policy? For example, signatures related to command execution or Cross-Site Scripting (XSS).
Have a good read about Multipart/form-data below.
- Nikoolayy1
MVP
About POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=127.0.0.1 && ls /etc maybe see if there is no low level signature about this as if you are using medium/high level only this could be it. Also if you selected specific server technologies maybe then if this is a signature for Linux but you selected Windows in server technologies this could explain the Linux signatures are not applied.
I think I saw similar stuff 2 years and if needed raise F5 case but maybe this is considered not affecting currently systems (who knows ) and you may need to write a custom signature for it if F5 says that for them this is not security risk and this is not covered by low level signatures.
- zamroni777
incositently usually happens when the tested webserver (the pool member) has been compromized by your earlier attacks, e.g. script injection has been stored in the app's db.
if haven't, also set the Server Technologies config properly according to the tech used by pool member.
this config usually too strong for live use cases and needs to be loosen using learning from legitimate testers.
