Forum Discussion
bc81987
Nimbostratus
NimbostratusCWE-20: Improper Input Validation
Good afternoon,
We've recently had a burp suite scan done on our F5 pair. This was the result:
The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
window.location.search and passed to the 'setAttribute()' function of a DOM element.
The results page from the scan included the requests and responses to and from the F5s; so I believe this is not a false positive. I am wondering if there is a fix for this through an update? Currently, we're running "BIG-IP v15.1.10.3 (Build 0.0.12)"
- Lucas_Thompson
Employee
Thanks for the question. Was there a URL associated with this error report? Are you using APM? Did you provide the scanner logon credentials so it could authenticate to the admin GUI or APM end-user logon page?
I do see a helper function that's used in the APM end-user logon page, decision box page, and endpoint-inspector status page that might trigger this alert, but it doesn't seem to be used in a way that's exploitable.
Vulnerability reports can be concerning. If you'd like a faster or tracked response on this question, get as many details as you can and please feel free to open a support ticket:
https://my.f5.com/manage/s/article/K2633
bc81987Yes there is a URL and we're using APM. Scanner has logon credentials. Everything seems to be working as intended. The issue is how to resolve this. Will an update from "BIG-IP v15.1.10.3 (Build 0.0.12)" work. If so, what version?
I have a ticket in with F5, but I haven't heard back from the solution engineer since 5/8. I'll reach out again.
boneyardMVP
Did you hear something from F5 support?
Without exact details it is going to be difficult to say something here.
