Forum Discussion
MistAWAF Detection Inconsistency Between Similar Test Payloads
Hi everyone,
I'm testing F5 AWAF against several attack payloads in a lab environment (crAPI).
I noticed some inconsistent detection behavior and would like to know whether this is expected, a signature coverage issue, or a content profile configuration issue.
Environment
F5 AWAF / ASM
Wildcard URL policy
Attack signatures enabled
Form Data, JSON, and XML request body handling configured
Default content profile set to "Apply value and content signatures and detect threat campaigns"
Case 1 - Command Injection
The following payload is detected:
POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=cat /etc/passwd
AWAF triggers:
Unix "cmd" parameter execution attempt
However, the following payload is not detected:
POST /clam.php Content-Type: application/x-www-form-urlencoded cmd=127.0.0.1 && ls /etc
The request body is visible in the event logs, so parsing appears to be working correctly.
Has anyone observed similar behavior with command execution signatures?
Case 2 - Multipart Form Data
AWAF successfully detects directory traversal inside multipart/form-data:
Content-Disposition: form-data; name="/static/img/../../etc/passwd" test
However, some multipart XSS payloads are not detected, for example:
Content-Disposition: form-data; name="random" <x/Onpointerrawupdate=confirm()>xxxxx
while other XSS payloads such as onerror-based payloads are detected and blocked.
Questions
Is this expected signature coverage behavior?
Are command execution signatures expected to detect payloads like:127.0.0.1 && ls /etc
Are there known limitations for newer event handlers such as:onpointerrawupdate=
Would enabling Base64 Decoding in Header-Based Content Profiles have any effect on these cases, or is this unrelated because the payloads are not Base64 encoded?
Are there recommended Signature Sets or Evasion settings that improve detection for these payloads?
Any guidance would be appreciated.
